Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

State of Email Security 2022: Every Company’s Riskiest Channel |  Read the Full Report →

Threat Intel
Tessian Threat Intel
by John Filitz Tuesday, August 30th, 2022
A growing incidence of multi factor authentication (MFA) compromises is dominating the threatscape.    The recent breaches at Cisco and Twilio were part of a large phishing campaign that resulted in close to 10,000 credentials at 130 organizations being compromised. Another noteworthy MFA attack was the recent adversary-in-the-middle (AiTM) compromise at Microsoft, impacting over 10,000 organizations. We’re also tracking the persistent and growing challenges posed by ransomware and nation-state campaigns.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    
  The use of MFA is an essential security control but has been over-hyped as providing fail-safe protection.   Social engineering using phishing for credential theft is central to recent MFA compromises.   Phishing attacks are escalating month over month to record highs.   MFA bypass attacks targeting organizations that use Microsoft 365 are on the rise.   ATO attacks are increasing and disproportionately targeting the financial sector.   Ransomware attacks are increasing and are targeting the industrial sector.   The threat posed by nation-state cyber campaigns is expected to persist and increase as geopolitical tensions escalate.
  The cost of a data breach is now $4.35m per incident. For healthcare that figure rises to $10.1m.   Phishing attacks are the costliest form of a breach coming in at $4.91m.   ATO attacks have increased by 307% in the last 2 years, with ATO related losses increasing by 90% in 2021 alone.   Phishing attacks escalated to over 1 million attacks in Q1 2022 – a new record.   Credential theft campaigns that resulted in the Cisco and Twilio breaches are part of a  phishing campaign that made use of what has been dubbed the “oktapus phishing kit.” This phishing campaign netted the Okta login credentials of almost 10k users at 130 organizations – mostly located in the US. Victims were targeted with a SMS phishing campaign linked to a malicious site that captured Okta login credentials and 2FA codes. The credentials were then used to gain access to the corporate networks of the affected companies via VPNs and remote devices.   The recent Microsoft 365 MFA related compromises were, according to Microsoft, attributed to the theft of a significant amount of login-in credentials through a large-scale phishing campaign. Using the compromised credentials, threat actors were able to hijack users’ already authenticated sign-in sessions. The threat actors were then able to access victims’ mailboxes and carry-out business email compromise campaigns against other targets.    According to Mitiga, the vulnerability inherent in Microsoft’s MFA authentication protocol is at the heart of the compromise. In particular, the lack of regular re-authentication prompts for a user’s session, even when a user is provisioning applications of a sensitive security nature, such as registering a second authenticator application in their Microsoft profile, played a big role in enabling escalation of the compromise.    This weakness is further demonstrated in the Privilege Identity Management feature of Microsoft’s MFA, enabling admin users to request admin privileges through the PIM  feature only when needed. However Microsoft does not prompt users to reauthenticate for this privilege escalation on the basis that their existing session has already been authenticated. Compounding these vulnerabilities is the fact that there is no-way for customers of Microsoft 365 to override the MFA native features and request additional reauthentication prompts.   According to NCC Group, ransomware attacks are up 47% compared to a month earlier, with the top 3 targeted industry verticals industrials (32%), consumers cyclicals (17%), and technology (14%).    Lockbit 3.0 and Hiveleaks and BlackBasta are the top 3 trending ransomware groups, with Lazarus Group activity also increasing.   The threat of nation-state cyber campaigns is growing according to CSIS, with 86% of organizations indicating that they have been recently targeted on behalf of a nation-state.
  The recent MFA compromise breaches indicate the limitations of this singular security control. This is resulting in an increasing number of successful ATO attacks.    As threat actors become more sophisticated, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ATO attacks is leveraging machine learning powered behavioral-based cybersecurity like Tessian that is able to detect anomalous behavior as it arises. This includes once an attacker has effectively bypassed security controls such as MFA.
To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Integrated Cloud Email Security
Product Update: Tessian Enhances Portal Navigation to Help Security Teams Respond to Incidents Faster
by James Alliband Monday, August 22nd, 2022
We are always looking at ways we can improve product efficacy and user experience for our customers. Our latest update – a new and enhanced portal navigation system – achieves just this. It enables security teams to prevent, detect and respond to threats coming into and out of the inbox in a much more efficient way. 
New and enhanced portal navigation system This new navigation system in the Tessian Cloud Email Security Platform significantly improves security team incident response time, making them more efficient in triaging email security incidents.    Today, security teams that rely on traditional email security defenses spend as much as 9-12 hours detecting and responding to each email security incident.   New navigation enhancements   The enhanced portal navigation reduces this administrative burden, helping security teams to work smarter, not harder, by giving them time back to spend on more important tasks. The navigation has been restructured to the two main use cases of the Tessian Cloud Email Security Platform:    Email Threat Prevention   Data Loss Prevention 
Accelerating response times with new navigation bar We have also updated the portal with a new navigation bar allowing quick navigation between insights and security events, so that teams can get to the content they need, faster.    We have also updated the portal’s overall design to give it a fresh and more appealing look and feel. This latest enhancement to the user experience is a testament to our continuous investment in innovation to deliver a first-class customer experience. Don’t just take our word for it, read these Gartner Peer Insights…    The new and improved portal navigation and user interface has been rolled out to all of our existing customers.  
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn  
Read Blog Post
Integrated Cloud Email Security
Phishing, Email Breaches and Multi-Factor Authentication Compromise Take Center Stage at Black Hat 2022
by John Filitz Tuesday, August 16th, 2022
After almost three years of pandemic induced disruption, Black Hat 2022 marked the return to a semblance of normalcy in Las Vegas. The number one hot take from 2022’s show was the hope for the pandemic to finally be behind us.    One aspect, however, that will never be the same again is the rapid shift to distributed computing environments, across the world. This explains why cloud adoption is growing at an unprecedented scale, with Gartner forecasting almost $500 billion will be spent on cloud services in 2022, with the figure rising to nearly $600 billion by 2023.    Increasing complexity and a rapidly expanding attack surface area are some of the main drivers, according to former CISA director Chris Krebs in his opening keynote, of why cyber risk is going to get worse before it gets better. Krebs also called on the cyber community and the government to continue bolstering efforts to address cyber risk.
Phishing and multi-factor authentication compromise   Phishing and multi-factor authentication (MFA) compromise were among the dominant threats covered by established and emerging security vendors at Black Hat 2022. Trying to stay relevant, one of the legacy email security solutions unveiled machine learning capabilities in an attempt to address cyber threats that are increasingly able to bypass secure email gateways (SEGs).   Tessian’s CISO, Josh Yavor and KnowBe4’s Roger Grimes both focussed their Black Hat presentations on the how threat actors are leveraging social engineering to compromise MFA, with Roger underscoring that 70-90% of all breaches are attributed to social engineering, including MFA compromises.   Although MFA remains an important security control, organizations have been prone to placing too much faith in this one particular security measure. Although underscoring the importance of MFA, Roger cautioned against the overstated claims that by adopting MFA an organization is near impenetrable.     Tessian’s Josh illustrated how MFA has become an important security control, but that threat actors are able to compromise it via a range of social engineering attacks. Josh ended his presentation with an appeal – only by adopting advanced anti-phishing solutions, that leverage machine learning powered behavioral intelligence to detect threats as they manifest, can the risk of a credential compromise be reduced.   Some of the other themes observed at Black Hat 2022 included a focus on addressing cloud and end-user cyber risk, with a range of solutions that included contextually aware API security, intelligent vulnerability management, end-user isolation for a hybrid workforce, as well as ensuring that security awareness training actually strengthens security culture.  
Cyber risks caused by human error    Coinciding with the annual security conference, several high-profile breaches were trending, including a Lapsus$ ransomware attack on Cisco in early August, as well as Marriott International suffering a third breach since 2018. Both attacks were attributed to employee credential compromise.    In the case of Cisco, the threat actors compromised an employee’s personal Gmail account and gained access to stored credentials in that account. In the case of Marriott, a month prior to the 2022 Black Hat conference, an employee at one of its hotels provided credentials to a threat actor.   Both instances underscore the reality that people make mistakes and that a layered security strategy is no longer a nice to have but is essential to reducing the risk of a breach. These instances also validate findings from recent seminal industry security reports including IBM’s Cost of a Data Breach 2022 and Verizon’s DBIR 2022 demonstrating that compromise credentials and phishing are the leading threat vectors.    Similar findings have been echoed in the vendor community, most recently by Palo Alto’s Unit 42, showing that 70% of its incident response is attributed to business email compromise and ransomware related attacks.
The future of cybersecurity is in the cloud   Breaches are increasing in frequency as well as costs associated with a compromise, with the average breach cost now costing victims an average of $4.35m. That number jumps to $10.1m if you happen to be in healthcare.   Only by leveraging best-in-breed cloud native security solutions will increasingly advanced attacks be detected and prevented. Cloud native security solutions benefit from not carrying technical debt from an on-premise world, but rather have the advantage of being engineered from the ground-up for adaptive, cloud-based threats.   For example, Tessian’s Intelligent Cloud Email Security Platform has behavioral intelligence at its core – enabled by machine learning, using Natural Language Processing (NLP) and Natural Language Understanding (NLU) – is able to detect threats as they manifest, in real-time. This includes threats that have been able to circumvent initial security controls such as MFA or legacy static, rule-based email security solutions like SEGs.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Podcast, Compliance, Interviews With CISOs
Lola Obamehinti on What Good Security Awareness Training Looks Like
by Laura Brooks Saturday, August 13th, 2022
With a wealth of experience in developing and leading security and awareness programs at companies including eBay and TIAA, Lola Obamehinti knows what makes a good program. Lola, the founder of Nigerian Techie and former ,  joined Tim Sadler, Tessian CEO and co-founder, on the RE:Human Layer Security podcast to discuss security and awareness training – why it matters, how to make it effective, and the secret to keeping employees engaged.    Tim and Lola also discussed diversity in tech, with Lola reflecting on the work that remains and how to increase inclusivity and diversity in the industry.   Listen to the whole episode or read on for some key Q&As from the interview.   Q: Why is security awareness so important in organizations today?   A: Security awareness and training are crucial for every organization because employees need to understand their role in protecting confidential company data and information. When cybercriminals target a company and attempt to gain access to networks and systems they do not only target IT or tech employees. Each and every employee has the potential to be a target, regardless of their role. So it is really important to equip employees with the proper tools to identify phishing attacks and other methods that cybercriminals may use to infiltrate an organization.   Q: What does a good security awareness program look like?   A: Effective security awareness and training programs require a multifaceted approach. It is not just training, and it is not just security awareness events or communications – it is all of those elements working together.    You could even divide security training up further into phishing simulations, which then feed into additional security training, alongside required security training (that could also be role-specific). The communications pieces and events also play a big role because you need to let the employees know where they are missing the mark, and also lead effective security awareness events. Finally, you need to use data to track the progress of all of those particular programs.    This well-tracked, multifaceted approach really helps to keep security at the forefront of employees’ minds, and in my opinion, is what works best. 
Q: How do you improve a pre-existing program and engage employees?   A: Additional funding is the best way to improve a pre-existing program. It may seem like the easy answer, but in my experience, I have noticed that security awareness and training is one of the parts of security that is often a bit underfunded. Companies often say that additional funding isn’t necessary, but whenever an incident happens security awareness and training is one of the first teams that is notified.    Now when it comes to the content of the program, context is key. To engage employees and help them retain information, you need to provide context to the lessons you are teaching them.    For example, when I was leading security awareness and training at eBay, we were entirely remote, so ensuring employees were well engaged was a key focus. One of the things we did was in January after the popular Coinbase advert that was shown at the Superbowl. The advert featured a QR code bouncing around the screen, similar to a bouncing DVD logo. So, I wrote an article about protecting yourself against QR code phishing, using the advert to provide context.   The engagement was huge – a few of our engineers even created their own QR codes! Until then I didn’t think that level of engagement was possible, but it just goes to show what happens when employees are truly interested in a topic. You just need to make it relevant to them.
  Q: What diversity and inclusion work is left and how can leaders help?   A: Right now, there is a lot of work left to do in the industry when it comes to diversity and inclusion. The security industry reflects the greater technology industry where there is not a lot of representation. Even for San Fransisco-based companies, the representation of Black, Indigenous, and People of Color (BIPOC) teeters around 2-5%, which is really really disheartening. Particularly because in 2014 a lot of the major tech companies started releasing diversity reports, but the numbers really haven’t moved since.    To change this I believe that the gatekeepers, from hiring managers to executives, need to give opportunities to individuals who might not have a traditional path. Maybe they just have a passion, maybe they have done a lot of extracurriculars like starting a podcast or YouTube or Discord to educate other individuals on security. They may not have the right certifications, but those individuals should be given more opportunities at entry-level or even management.   Also, for the individuals who are already in the industry – if they don’t feel included or like there are proper opportunities for advancement they leave. We have all seen the lawsuits that are being brought against Google and other tech organizations where people have been discriminated against, experienced racial microaggressions, and were not promoted or compensated fairly. So the work doesn’t stop once you have a diverse workforce – you need to make them feel continually included.    Finally, I would like to highlight that diversity is not just about BIPOC. It can be gender, background, or socioeconomic status, it can be anything. I think of diversity as diversity of perspective and thought – and it is so important for the overall success of a company.
Read Blog Post
Integrated Cloud Email Security, Interviews With CISOs
Hot Takes: 8 Ways to Strengthen the CISO and CFO Relationship
by John Filitz Thursday, August 11th, 2022
As cyber risk continues to escalate, strategic collaboration between the Chief Information Security Officer (CISO) and Chief Financial Officer (CFO) is becoming more important.    In a recent webinar discussion between Tessian’s CFO, Daniel Kim, Jason Thomas, CIO at Cole, Scott and Kissane and Steve Kinman, CISO at Snyk, we talked about the key elements to addressing cyber risk at a strategic and fundamental level.    What did we uncover? Ultimately, the CISO and CFO roles are changing, and collaboration between these two important stakeholders is essential for businesses to mitigate cyber risk, while also driving business objectives forward. The panel also outlined some of the key principles necessary for enabling a dynamic risk mitigation and business value-led partnership.
1. Focusing on cybersecurity fundamentals  The risk for a cyber breach and the costs associated with breaches are increasing. In fact, the 2022 Cost of a Data Breach Report from IBM revealed that the cost of a data breach now stands at $4.35 million, up 13% from 2020.    According to Jason Thomas, CIO at Cole, Scott and Kissane, security leaders must focus on the security fundamentals as a starting point. This includes understanding your environment i.e. classifying your assets, knowing what you have from a technology and people standpoint, as well as the degree of cyber risk faced by your organization.  
2. Quantifying cyber risk  For Daniel Kim, CFO at Tessian, moving away from a binary quantification of cyber risk is the first and important step to addressing increasing cyber risk, so too is appreciating that “the risk is never going to be zero.”    As a next step, he says, it is important that companies also appoint C-suite steering committees that should operate in a similar fashion to disaster risk committees. This would move companies out of a reactive to a proactive position on cyber risk mitigation. 
3. Prioritize cybersecurity spending   Prioritizing cybersecurity investments can often face questions of relevance from other business leaders on the value that these investments would add to the company. For Jason it is essential that company leaders ask themselves, “how much is one hour of downtime worth to the company.”   For Steve Kinman, CISO at Snyk, many companies are still struggling to adequately prioritize cybersecurity program development, stating “what I hear a lot from teams is that they’re doing a lot of ad hoc security planning…and there’s no-rollup of that information to the C-suite or board.”  Every cybersecurity initiative, he says, must be aligned with the business and its objectives.    
4. Cyber risk as a financial risk   On the growing importance of CFO and CISO relationship building, Tessian’s Dan underscores that the growing importance rests on two important aspects, namely the frequency and the impact of risk.    On frequency of risk, it is imperative that leaders understand what risks exist in their environment. This can range from natural, geopolitical, financial and cyber risk. On impact, the increasing costs associated with cybersecurity events, including loss of revenue, downtime, to the loss of data and IP, have rendered cyber risk as a financial risk, says Dan.   Combined with regulatory changes that will result in the C-suite being held personally liable for cyber breaches is essentially elevating the importance of dealing adequately with cybersecurity risk – with Dan adding, “reacting to a breach after the fact is no longer a good business model.”    
5. Healthcheck on the CISO and CFO relationship   Synk’s CISO Steve noted that for the majority of organizations a disconnect between the CISO and CFO is apparent, noting many CFOs don’t understand cybersecurity terminology and do not understand the real cyber risk facing their organizations. It’s important to shift the conversation from cyber risk to business risk.   Touching on the evolution of the CISO role, Jason states it is critical that security leaders understand the fundamental financial aspects of the business in order to prioritize investments to address these risks.     
6. The importance of ROI   Having measurable return on investment (ROI) from your security tools is non-negotiable for every business. For Jason, this entails conducting routine audits on the security tool efficacy. Not being able to get the data out of the tools and demonstrate what impact they are having leaves you unable to determine whether the tool is performing as expected and is delivering ROI.   Using  a framework that categorizes the investment by the following criteria for Dan is helpful:   investments that generate revenue investments that cut cost investments that manage risk   Every business leader – including CISOs – need to be able to translate their area of expertise and programs underway to business outcomes, according to Dan. Learning how to speak the same risk language, being the catalyst for change and making it a collaborative journey is so important to achieving business outcome success.     
7. Become an effective C-suite communicator  It’s only once a breach has happened that cybersecurity programs are prioritized. This, according to Steve, is the well-known mantra of “not wasting a breach” to increase the cybersecurity budget.    Although this approach is commonly used in the industry, there is a need for a more proactive approach. Steve cautions, however, that security and risk leaders need to be tactical with their asks for additional cybersecurity investments – you need to have a well developed and well-communicated cybersecurity strategy in place first.   Additionally, overcoming communication obstacles that may exist between the CISO and the C-suite, requires developing a set of metrics for reporting that conveys maturity of the program, rollout according to timeframes, and being able to show how risk is trending. The C-suite and board require a different type of language than most security practitioners are familiar with  – don’t go too deep on security jargon.    
8. Overcoming the cybersecurity perception problem In a 2022 Tessian study, we found that only 58% of employees believe that senior executives at their  company value cybersecurity. For Steve, recognizing that most companies recognize that cyber risk is the number 1 risk, and that’s where the acknowledgement stops.    Even large corporations don’t demonstrate how essential cybersecurity and cyber risk mitigation are to their overall growth strategies. Cyber risk needs to be intertwined in the business plan and commonly understood by all of the business units. When cybersecurity risk is not referenced in the business plan that is where the perception of cybersecurity not being valued manifests from.   Jason and Dan agree that security awareness training needs to be ongoing and doesn’t need to be overly complex. Jason uses a constant messaging approach to drive security awareness on the risks being seen in the industry and measures his team have in place to safeguard his company.  
Building a Long-Term Relationship   The importance of strategic collaboration between CFOs and CISOs is coming into sharper focus, particularly as cyber risk continues its upward trajectory.    For organizations that are behind the technology adoption curve, according to Dan, cybersecurity risk can no longer be seen as a standalone, siloed IT project, but rather it needs to be seen as key business risk facing the enterprise.   Sharing information and intelligence i.e. constant communication on breaches threat trends in the industry as well as demonstrating what measures are in place helps Jason and his team build trust with the C-Suite.     Steve advises, it can be very intimidating to think that the CFO doesn’t care about cyber risk, get over that fear, go and speak to your CFO, build that relationship.    Building an effective relationship between the CFO and CISOs takes collective effort, as well as a shared view on the extent of cyber risk facing the organization. Having a well-oiled partnership between these two important business stakeholders can both mitigate cyber risk and as well as deliver success on business objectives.     
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Email DLP, Integrated Cloud Email Security
Tessian Recognized as a Representative Vendor in the 2022 GartnerⓇ Market Guide for Data Loss Prevention
by Negin Aminian Tuesday, August 9th, 2022
Tessian has been recognized by Gartner in the Market Guide for Data Loss Prevention (DLP) 2022 as a Representative Vendor for next generation DLP. Gartner makes the distinction that, “DLP is a mature technology, but the emergence of tools with a focus on cloud and insider risk management use cases has provided SRM leaders with the option to invest in a next-generation data security tool.”    State of the DLP market and why email matters The need for cloud native DLP tools is growing in-step with increased public cloud adoption, and the report mentions that, “In 2021, Gartner fielded 29% more client inquiries on the topic of DLP than in 2020.” In the latest Gartner forecast, “Worldwide end-user spending on public cloud services is forecast to grow 20.4% in 2022 to $494.7 billion, up from $410.9 billion in 2021, according to the latest forecast from Gartner. In 2023, end-user spending is expected to reach nearly $600 billion.”   Email is a significant threat vector for data loss. In separate research conducted by Tessian (2022), the risk for a data loss event occurring via email is high, with nearly 60% of organizations surveyed having experienced an email data loss incident due to an employee mistake in the last 12 months. Email was also identified as the riskiest channel for data loss, followed by cloud file-sharing and instant messaging platforms.   Gartner underscores the importance of addressing data loss risk on email due to the fact that “email is one of the most prevalent means of sending information and a priority for most clients.” And in reference email security DLP capabilities, Gartner states:   “Some email security vendors’ solutions can also address accidental data loss use cases, such as the sending of email to the wrong recipients or the sending of wrong attachments. These solutions use artificial-intelligence- based algorithms to track users’ email patterns and notify users if they may be accidentally sending sensitive information.”   These intelligent email DLP capabilities are native to Tessian, having the ability to prevent misdelivered emails and misattached files from being sent, as well as preventing malicious attempts at email data exfiltration.   Key findings from the Gartner Market Guide for DLP The report identifies three key findings: “Data loss prevention programs that are not tied to specific initiatives and goals are indicative of immature data security governance. Traditional DLP vendors that focus on conventional and data specific content inspection methods, can lead to fatigue and a siloed view of data movement. Legacy DLP tools rely on detection methods that were developed for on-premises workloads. Cloud migration has complicated the vendor selection process for clients, since these legacy approaches to DLP often are no longer viable.”   Some of the key recommendations include: “Define a DLP strategy based on data risk and the needs of the business.” Invest in a DLP solution that not only provides content inspection capabilities but also offers extra features such as data lineage for visibility and classification, user and entity behavior analytics (UEBA), and rich context for incident response. Overcome the challenges presented by a cloud-first strategy by implementing a solution to map and secure sensitive data across the hybrid environment.”
How Tessian protects against accidental and intentional data loss on email   Tessian’s unique approach to securing the email ecosystem and preventing email data loss hinges on three pillars:   Enabling intelligent and automated email security that leverages machine learning powered behavioral intelligence to detect both known and unknown threats, in real time. This prevention capability extends to automatically preventing email data loss from both malicious insider and accidental data loss use cases. Improving security operations (SecOps) efficiency by preventing data loss events from becoming incidents, reducing the time spent triaging incidents, as well as time spent configuring static DLP rules. Strengthening security culture by creating a positive end-user experience by empowering end-users to make the right cybersecurity decisions.
An intelligent approach to cloud email security  By leveraging machine learning powered behavioral detection, Tessian’s cloud email security platform is able to prevent both accidental and malicious data loss attempts from becoming incidents – ensuring data security compliance, while reducing the burden on SecOps.    Combined with contextual, in-the-moment end-user warning banners, security culture is strengthened by empowering end-users – through a range of DLP policy enforcement options – to make the right security decisions.   Want more information on how Tessian can protect your organization against email DLP? Click here to schedule a demo.
To see how the Tessian Intelligent Cloud Email Security platform prevents insider threats and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn.       Gartner, “Market Guide For Data Loss Prevention”, Ravisha Chugh, Andrew Bales, July, 19, 2022. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup: July 2022
by John Filitz Friday, July 29th, 2022
Impersonation attacks are a significant contributing factor to the growing phishing challenge, with APWG reporting over 1 million phishing attacks in Q1 2022 – the highest number of attacks recorded for a quarter.   Threat actors are targeting well-known brands to carry-out sophisticated social engineering attacks and are leveraging legitimate 3rd parties to conduct their attacks. Threat actors are also using open source intelligence to impersonate and target specific individuals within companies.   Once trust has been established, the threat actor can further compromise the information system – this includes compromising vendors within the target’s supply chain – by delivering a malicious payload.   The challenge in detecting impersonation attacks is expected to become more protracted in the short term. This is due to the majority of organizations still relying on legacy rule-based email security solutions that are unable to detect sophisticated impersonation attacks.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.  
Impersonation attacks mimicking well-known and trusted brands, and will remain a mainstay for threat actors to perpetrate attack campaigns that include fraud and account compromise as key objectives.   Impersonation attacks are becoming more targeted and are leveraging open source intelligence, targeting smaller companies as well as specific individuals at those companies, with the C-suite particularly targeted.   Legitimate 3rd party services providers,  including mass-mailing services and payment providers are increasingly common methods employed by threat actors.   Account Takeover-based impersonation attacks, specifically within the supply chain ecosystem of a particular company, pose among the greatest threats. This is due to the threat actor operating within the “circle of trust” and having access to multiple targets.
The FTC has reported a sharp increase in impersonation fraud, with losses totaling $2 billion in the period October 2020 to September 2021. Some of the leading corporations are the most impersonated. In the technology space, this includes Microsoft, Google, Amazon and Apple as among among the most impersonated brands.   Email impersonation attacks come in different guises including:   Typosquatting – in this instance the threat actor sets up an email domain that appears to be legitimate – however with one or several characters replaced with look-a-like characters, for example using zero instead of “o.”   Email domain spoofing – the threat actor will manipulate the email headers so that false email address is displayed to the sender, for example the sender’s email address is “fraudster@cybercrime.com,” but the recipient sees “billgates@microsoft.com” in their inbox. Often email domain spoofing will include some degree of brand impersonation, including use of brand logos and email footers, to enhance the legitimacy of the malicious email.   Account Takeover – ATO attacks are possibly the most insidious form of impersonation attacks due to the threat actor leveraging a compromised and “trusted” email account to perpetrate an attack.   Threat actors often use a sense of urgency combined with some intelligence to get the target to carry-out their request, for example, such as requesting urgent payment of a known supplier invoice but to a bank account number controlled by the threat actor.   Malicious payloads in the form of attachments or links are also commonly used. The malicious nature of the payload is obfuscated to bypass rule-based security controls.   In the case of a malicious attachment, common obfuscation methods include changing the file name to a “.doc” or “.pdf” or in the case of a malicious link, using third-party mailing services to deliver the malicious links. This can include the use of link-redirects that will redirect the victim using a “safe” link to a safe website, which then redirects to a malicious website.   One noteworthy impersonation attack campaign included the NOBELIUM campaign detected by Microsoft Threat Intelligence. In this campaign, threat actors leveraged a legitimate mass-mailing service Constant Contact to impersonate the US International Development Aid agency (USAID) to distribute malicious URLs to a “wide variety of organizations and industry verticals.”   More recent impersonation campaigns are leveraging a combination of phishing email and a call-back number impersonating a well-known and trusted security vendor in an attempt to compromise the target via remote administration tools (RAT).
The need to upgrade email security is increasingly moving up the priority order list.   Legacy rule-based solutions are unable to detect multi-tiered impersonation attacks that remain undocumented in most threat intel engines on which legacy solutions rely.   Adaptive, machine learning powered behavioral detection is essential to detect unknown and rapidly evolving threats, including supplier based ATO attacks.   Leveraging security solutions that incorporate security awareness training as part of the active defense measures remains a key element of ensuring that end-users are in a better position to detect impersonation attacks.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
How to Prepare for Increasing Cyber Risk
by John Filitz Wednesday, July 13th, 2022
Each year it seems we are met with new complex challenges and risks that few could have predicted. In turbulent times, it is prudent to take stock of what business and security leaders can control. Allocating dedicated resources to more effectively manage both known and unknown risk is fast becoming essential to shore-up organizational resiliency.   Turning the focus to the sector that is germane to what we do at Tessian, effectively managing cybersecurity risk is now more critical than ever. In fact, cybersecurity risk is now considered the number 1 risk faced by businesses according to Allianz’s 2022 Global Risk Barometer, followed by business interruption (2) and natural disasters (3).   Read on to learn more about some of the key cyber risks organizations are faced with today, and how best to mitigate it.
Cybersecurity risk is increasing The costs associated with breaches are increasing each year. The global cost and impact of cybercrime damages is expected to reach $10.5 trillion in damages by 2025 – representing a 350%+ increase from 2015.    A sign of the worsening cyber risk can be seen in the cybersecurity insurance industry. Given the high number of recent claims, up by 500% in 2021, has resulted in cyber insurance premiums seeing significant escalations – essentially doubling over the past year. And as a result of recent developments in Ukraine, leading insurers are now excluding suspected nation-state cyber attacks from coverage provisions.  
Persistent and increasing email security risk   Due to its open nature, email remains the preferred method for delivering a malicious payload, including ransomware – responsible for up to 95% of breaches. Email also attracts the greatest investment in the attacker value chain and is the riskiest channel for data loss.    Until recently, detecting and preventing email threats relied on static, rule-based solutions like Secure Email Gateways (SEGs). These solutions are only able to detect known threats because they rely on a threat detection engine of already documented threat campaigns. But threats have become more advanced and are proliferating at an alarming rate, with the net result these threats are going undetected by SEGs and are reaching victims’ mailboxes.   According to Verizon’s DBIR 2022, email-delivered social engineering attacks are growing in complexity, with phishing responsible for 60% of these attacks. In addition, the FBI reported that $43 billion has been lost globally due to Business Email Compromises (BEC) in the past 5 years, with a 65% increase in BEC fraud related losses reported globally in the period 2019 to 2021.  
The growing ransomware challenge   Advanced cyber threats like ransomware are also trending in the wrong direction. Ransomware related damages exceeded $20 billion for 2021 – representing a 57x fold increase from 2015. By 2031 ransomware damages are expected to reach $265 billion. Responsible for 75% of cybersecurity insurance claims, Ransomware-as-a-Service offerings are mainstreaming the ability to carry out devastating ransomware attacks.    Russia-based Conti ransomware gang aka Wizard Spider has been linked to 50 incidents in April 2022 alone, including attacks on the Costa Rican and Peruvian governments. Currently there is a $15million bounty on Conti from the US government – indicative of the scale of the problem. The FBI estimates that over 1,000 Conti ransomware victims have paid in excess of $150 million in ransom in the past year.    Also concerning is the increasing proliferation of wiper-malware seen in 2022 in cyber attacks against the Ukraine in 2022. Disguised as ransomware, wiper-malware essentially wipes all data from infected hosts. In response to the growing ransomware threat, CISA announced the formation of a ransomware taskforce at the end of May 2022.   
Software supply chain vulnerability   Software supply chain cyber risk is another leading concern for CIOs and CISOs. The acceleration of digital transformation and cloud adoption, and increased speed of deployment through DevOps processes, have resulted in dramatically expanding the attack surface area with vulnerable code and applications exposed online.    Software supply chain attacks remain a vulnerable element given the high impact and high reward for the attackers as has been demonstrated in the SolarWinds and Kaseya attacks. 
Final thoughts for staying safe in a volatile cybersecurity environment   Prioritizing cybersecurity program development is now a core aspect of effective organizational risk management. There however remains a collective need in the vendor and the broader business community to elevate and educate executives particularly at the board level, on the importance of proactive cybersecurity risk management.    Assume you will suffer a breach. From this risk-aware position think about the proactive steps you can take to improve your cyber resilience. The escalating email, ransomware, wiper malware and supply chain vulnerability risks underscore the imperative for investing in intelligent and agile cybersecurity defenses.   Continuously seek out innovative solutions that keep your environment safe, while at the same time ensure high degrees of employee engagement on the importance of security awareness.  
To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Email DLP, Integrated Cloud Email Security, ATO/BEC
What is an Integrated Cloud Email Security (ICES) Solution?
Thursday, July 7th, 2022
In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge. Enter Integrated Cloud Email Security.
What is an Integrated Cloud Email Security (ICES) Solution? The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.     ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record.   Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant:   “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”
Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why?   In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?
Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.
The migration to the cloud   More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include:   Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM   Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection. ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.
What are the benefits of ICES solutions?   ICES solutions offer more than just threat detection. Key features of ICES solutions  can include:   BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes
How to evaluate ICES vendors   The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed:   Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions   Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.
Why choose Tessian?   Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.     What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence   Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 
To summarize, there are four key Tessian differentiators:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for June
by Charles Brook Tuesday, July 5th, 2022
The Tessian Threat Intel team continues its focus on business email compromise (BEC) campaigns. We issued a Threat Advisory for a PayPal themed campaign we have been tracking since January.   The threat actors in this campaign are seeking to illicit payment fraud and potentially compromise credentials. Other key threats that we are focussing on include increasingly advanced methods for Account Takeover (ATO) and the persistent threat of email-delivered ransomware, including a spike of wiper-malware. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.
  Tessian Threat Intelligence has recently tracked and observed scammers, on numerous occasions sending emails with fake invoice payment requests from payment service providers such as PayPal. From early evidence we are seeing, online fraud campaigns are on the rise, with the potential to evolve to ATO based attacks. Although the primary targets are private consumers, we are likely to see similar attacks targeting vendors and suppliers in the enterprise. The increasing sophistication and targeted nature of attacks observed across the cybercrime landscape represent the maturation of cyber crime, with threat actors targeting specific entities rather than random targets. A number of these phishing attacks are leveraging open source information, as well as relying on information gathered from previous data breaches to identify high yield targets.
  Tessian Threat Intel continues to track BEC and payment fraud campaigns with executive impersonation observed as a consistent theme.  Cryptocurrency payment fraud has already resulted in over $1billion in losses according to the FTC and is up 60x in 2021 compared to 2018. Ransomware-as-a-Service gang activity emanating from Russia is on the rise once again, with REvil re-emerging after an initial law enforcement crackdown. Wiper-malware is surging in 2022, first seen in Russian cyber attacks against Ukraine. Russian APT groups have been observed exploiting the Follina vulnerability.  Microsoft released a patch for Follina in June but we may see a spike in attachment-themed phishing abusing the vulnerability before the fix is widely implemented. Chinese APT groups have been using ransomware as a decoy to carry out espionage campaigns. Other attack campaigns that have captured our attention include the increasing phenomenon of voicemail themed phishing campaigns observed by Zscaler. We expect email delivered ransomware, including the growing prominence of wiper-malware to remain leading threats in 2022. A recently launched carding site ‘BidenCash’ gave away a list of stolen card details for free across darkweb forums to promote their store.
  Having intelligent and layered cybersecurity defenses in place, particularly securing email and the endpoint, are critical for staying safe. Leveraging behavioral cybersecurity solutions that can detect sophisticated social engineering attempts is essential, as threat actors continually develop intelligent methods to bypass rule-based security controls. Practicing good cybersecurity hygiene and regularly testing your security controls, including business continuity and disaster resilience capabilities, are of fundamental importance to cyber resilience. Conducting in-the-moment and contextual cybersecurity awareness training on advanced email threats for your employees should be prioritized  – end-users are your first line of defense.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for May
by John Filitz Monday, May 30th, 2022
Tessian Threat Intel focussed on crypto and payment fraud campaigns for the month of May, particularly PayPal related scams which have become increasingly sophisticated over the last several months. Most recently we have identified scams relating to fraudulent email invoices requesting payment via PayPal, with some of these scams requesting payment in Bitcoin.    Keep reading for recommendations for staying safe, and sign-up for our Threat Intel update to get this monthly update straight to your inbox. 
Social engineering remains a persistent global threat that continues to evolve to evade law enforcement and cybersecurity detection and prevention efforts.   Email-delivered crypto Business Email Compromise (BEC) campaigns are increasing in volume and sophistication.   Threat actors are targeting payment providers such as PayPal and fraudulently creating email invoices to perpetrate payment fraud.   Bitcoin is the preferred payment method due to its ability to transverse geographic borders.   In their latest annual IC3 report, the FBI notes over $43 billion has been lost globally due to BEC compromises in the past 5 years. The true figure is likely significantly higher due to unreported incidents.   The FBI notes phishing is increasing and remains the most reported cyber crime incident.   To stay safe: Never click on links from suspicious emails and be on the lookout for increasingly sophisticated BEC attempts to perpetrate invoice payment/wire fraud.
Tessian Threat Intel have noted an uptick in BEC efforts, with invoice/payment fraud the primary objective of threat actors.   We have been tracking payment provider related fraud since January 2022.   Also noteworthy is the increasing sophistication of campaigns targeting victims using a range of themes including the COVID-19 pandemic and, more recently, the conflict in Ukraine.    Over the past 30 days we are still seeing an average of 45 new Ukraine themed domains registered every day. (See April’s round up on Ukraine).   Key themes of the attacks still include crypto donation scams as well as ecommerce spam, romance scams, and loans for refugees.    The donation scams are increasing in volume and expanding in variety with themes for humanitarian aid and support for children or refugees.   As the digital payment market grows, so too will the range of attacks.   Bitcoin remains the preferred medium of payment for the BEC campaigns we have been tracking.   FBI notes a 65% increase in BEC fraud related losses globally in the period 2019 to December 2021.
Be suspicious of any invoice related request, even from a trusted party.   Always verify the authenticity of the invoice by contacting the party via an independent method, for example via telephone – and never use a telephone number provided in the suspicious email.   Report suspicious emails to your security administrator.   Use an advanced email protection solution that relies on behavioral intelligence modeling vs. a static, rule based approach to threat detection.   Report all BEC related losses to your relevant law enforcement agency – only by having an accurate picture on the extent of the crime threat, can we as a community harness the required resources to effectively deal with this challenge.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup for April 2022
by Charles Brook Thursday, April 28th, 2022
Tessian Threat Intel introduces our key threat intelligence themes and topics we have been tracking for the month of April 2022.  The key theme this month focussed on Ukraine-related cyber threat campaigns. We expect nation-state related attacks to escalate in the wake of the Russia invasion. Recommendations for staying include following best practice as outlined by CISA  and NIST. Be sure to sign-up for our Threat Intel update to get this monthly update straight to your inbox.
Phishing campaigns escalated in the wake of the Ukraine invasion Ukrainian themed QR code crypto currency donation fraud featured prominently in phishing campaigns in the wake of the invasion Ramp-up of cyber retaliation by Russia against western countries and targets is expected in the coming weeks The Ukraine invasion is among the first inter- nation-state conventional conflicts to feature a cyber-war (hybrid war) component In order to disrupt nation-state campaigns in Ukraine, public-private partnerships as demonstrated by Microsoft will be key in addressing this threat vector The cyber insurance industry, already in choppy waters before the Ukraine invasion, is set for further turmoil concerning coverage limitations and premiums LinkedIn is now the most popular brand for impersonation in phishing attacks
Tessian Threat Intel have noted a significant escalation of phishing threats in the wake of the Ukraine invasion We take the view along with our colleagues that Russian affiliated APT groups are expected to escalate their attacks on countries allied with Ukraine, with the US, the UK, and the EU key targets in this regard Nation-state cyber attacks are expected to feature more prominently in conventional nation-state conflict based on recent outcomes from the Ukraine invasion  Cyber insurance premiums have doubled over the past 12 months, while coverage has dramatically been reduced A number of leading cyber insurance providers have recently amended their policy coverage to reflect this changing geopolitical risk landscape to specifically exclude acts of war
Threat actors take advantage of key events including conflict and natural disaster events as we witnessed during the recent pandemic Having dedicated executive support and resourcing for cybersecurity programs in the enterprise as outlined by CISA  is essential Defense in depth is key to reducing the likelihood of a successful breach Leveraging Threat Intel insights from your peers and from the cybersecurity vendor community is an important component to keeping aware of the rapidly evolving threatscape Cyber insurance is quickly becoming unaffordable to most small and medium sized companies. This may result in tough trade-offs for firms. Bottom line: Making strategic investments in cybersecurity programs is more important than ever.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post