Human Layer Security
Ed Bishop Joins SecureWorld “Emerging Threats” Panel
27 April 2020
The number of cybersecurity threats is growing every day, increasing the need for comprehensive security monitoring, analysis, and communication. With the sudden explosion of remote workers, we are encountering even more challenges and reasons for concern. The attackers are taking full advantage in these trying times, and it is critical for the security community to pool our collective intel on the shifting threat landscape. On April 16 2020, Ed Bishop, co-founder and Chief Technology Officer of Tessian, joined a SecureWorld panel of industry leaders — Erich Kron, Security Awareness Advocate for KnowBe4, Elvis Chan, Supervisory Special Agent from the FBI, and Mark Lance, Senior Director of Cyber Defense for GuidePoint Security — to discuss emerging threats being experienced in the wild, and strategies for staying ahead of cybercriminals. The panel was hosted by Bruce Sussman, Director of Content and host of weekly podcast, The SecureWorld Sessions. Listen to the full session below:
Below is a truncated transcript of Ed’s responses to Bruce’s questions. Bruce Sussman:  What do you see as new or growing security vulnerabilities in the rush to work remotely? Ed Bishop:  Yeah, I was just going to chip in and just say with the work from home I think it’s really important to highlight how much of a change this is for the individuals as well. It’s not just about the technology. People’s lives have been turned upside down and everything is super uncertain. And what we’re seeing is people are just trying to take advantage of that with COVID-19-related attacks. They’re specifically targeting that uncertainty and the fact that people’s technology stacks are changing and that they’re expecting to get emails about new video conferencing or VPN software, and I just think it’s important to bring it back to thinking about the people or the end users and not just focusing on the technology and really this is where we’re going to stop getting security vulnerabilities. People just attacking that uncertainty and taking advantage of it. Bruce Sussman:  What do you see as current or emerging human-caused security risks on email? Ed Bishop:  We’re seeing a lot of emerging threats. I actually think it’s interesting because I think maybe a lot of these threats have existed for a long time, and it’s just been considered the cost of doing email. If you want to send email, you need to open yourself up to phishing attacks and you need to open yourself up to data exfiltration etcetera. And it’s only recently in the last five years that we’ve been thinking about this as the real threat and then we’re seeing these threats get more and more advanced. And that’s why I think we’re seeing the emergence of the term emerging. So yeah I think you break it down into how to think about a new threat… it’s about the Human Layer. People make mistakes on email so that means you can basically just accidentally send an email to absolutely anyone with very sensitive information. That’s one of the number one reported data incidents to Information Commissioner’s office in the UK. People break the rules and this is around all kinds of data exfiltration. It’s about doing things on email that they’re not supposed to do. And then finally what we’ve just been discussing is people can get tricked into this and we’re seeing this a lot with COVID-19 attacks. But specifically this is all about Human Layer problems. It’s about understanding how people work, it’s about understanding their behaviors, it’s understanding their historical email data sets. Really it’s the only way that you can actually go about starting to tackle these emerging trends. We believe that kind of rule-based technologies play a good job at tackling standard threats, but for the emerging threats, the advanced threats, that we’re seeing today. You really need to take a different approach and that’s about understanding people, understanding their data points and really using and leveraging technologies like machine learning to be able to tackle these advanced threats. Bruce Sussman:  What role will Artificial Intelligence play in cybersecurity and any ideas on how criminals also use AI? Ed Bishop:  Tessian obviously is a machine learning company on the defense side so we think there’s a huge role to play for AI in detecting some of these emerging threats if we just bring it back to one of the core topics of this panel: email. I would say that there’s just so much work still to be done on the defense side that attackers don’t even need to be thinking about AI on the offense side. It is quite frankly far, far too easy to send very convincing impersonation emails taking advantage of COVID-19 and just bypass existing technologies and get straight to the end user to take advantage of those human vulnerabilities and social engineering. Although we’re seeing very interesting things, I think DeepFake is a great example of where it’s truly being used on the offensive side. If we take it back to email where 91 percent of all cyberattacks originate, I think we’re going to see a lot of work on the defense side where attackers can just be using really simple phishing kits to bypass existing solutions. Bruce Sussman:  Interesting and so that’s why we have to have to the machine learning in an AI on defense. Is that what you’re saying? Ed Bishop: Exactly. I think the legacy approach to tackling things like phishing and business email compromise is really predominately like Blacklist Space, where you have to assume the attack in a number of accounts or using basic respects or rules and quite frankly it seems if you introduce rules people are going to break those rules. Rules are made to be broken and attackers are constantly playing this game of cat and mouse. So yeah it’s all about defense, it’s understanding people, it’s understanding how they operate, what normal looks like for those end users and training machine learning models then that can detect people sending advanced impersonation emails. Bruce Sussman:  Are insider threats becoming more of a danger with the pandemic? Ed Bishop:  Yeah, I think that’s a great point that’s been mentioned. Obviously data exfiltration has been painted with quite a negative kind of brush and rightly so. But data exfiltration also covers people who aren’t necessarily being malicious, but they’re just trying to do that job and accidentally essentially breaking that IT policy.  So to give you an example you’re working from home, how you’re going to print something? Are you going to go through the headache of trying to set up your home printer with your work computer even though USB is disabled, Bluetooth disabled? You know what you’re probably going to do is you’re just going to forward that email to your freemail account, go onto your personal device and print it. You just exfiltrated data. Your data maybe travel to another jurisdiction just due to that event. We are seeing a trend of not necessarily malicious data exfiltration but definitely an increase in data exfiltration because people are trying to do their job effectively. And their workforce hasn’t provided them with the technology to do that so they’re always going to just go to the path of least resistance, which is often exfiltrate data to their personal email accounts. Bruce Sussman:  There are plenty of examples where the traditional cybersecurity methods prove ineffective. Why is this and will attackers always be a step ahead? Ed Bishop:  I think it’s a great point like why does it always feel like that they’re a step ahead. Remember that I think we always try and think of it at Tessian as a numbers game for the attacker: they can send 1000 emails and they only need one email for you to click that link, or for you to wire that money. Don’t forget that they probably sent 9999 other emails that were unsuccessful. But the point is all they need is one email to be successful and that’s why you will always hear about data breaches in the news and in the press. I think bringing it back to why traditional data security methods are ineffective, it really just comes down to this the game of cat and mouse. Putting myself in the shoes of the attacker, if I can go onto a security vendor’s website and go on to that WIKI and see how to set up policies that are rule-based, what are the attackers going to do going to? They’re going to send an attack that just flies past those rules because they just got an expose what that technology is looking for and how they can prevent it. I just also highlighted another kind of, I guess, traditional cybersecurity method, which is effective to some degree: Training and Awareness. But I think far too many companies rely on that as a silver bullet and again attackers know this. They know what people are trained against, they know the types of threats that people are trained against but there are just such sophisticated attacks out there that we cannot rely on people to detect. We need technology to do a better job and really understand kind of what normal looks like and be able to spot those anomalies.
Data Loss Prevention Human Layer Security
A Complete Overview of DLP on Email
By Maddie Rosenthal
27 April 2020
Data Loss Prevention is a vital part of security frameworks across industries, from Healthcare and Legal to Real Estate and Financial Services. There are dozens of different DLP solutions on the market, each of which secures data differently depending on the perimeter it is protecting. There are three main types of DLP, including: Network DLP Endpoint DLP Email DLP While we’ve covered the topic of Data Loss Prevention broadly in our blog What is DLP?, we think it’s important for individuals and larger organizations to understand why email is the most important threat vector to secure and how Tessian approaches the problem of data loss on email differently.  
Why is DLP on email important? Billions of email messages are sent every day to and from organizations. Contained within many of these emails is highly sensitive information including personal details, medical records, intellectual property, and financial projections. Businesses, institutions, and governments rely on being able to share sensitive data with the right people how and when they want. But, at the same time, they also need to ensure data isn’t put at risk, whether through careless mistakes or intentional exfiltration.  Once data leaves your organization, you lose control of it and now, with compliance standards like HIPPA, GDPR, and CCPA, organizations face greater consequences in the event of a data breach, including:  Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation  And, with employees being busier than ever, it’s easier to make mistakes, for example typing the wrong email address when sending an email, or emailing a document to a personal account and raising the chance of that data being compromised. Interested in Why People Make Mistakes? Click the link to read our report. Importantly, though, mistakes are just one of the main causes of data loss on email.
What are the main causes of data loss on email? The biggest risk to data security usually comes from within organizations. While few employees mean their company harm, the transfer of huge amounts of information every day by busy people means that mistakes happen, some with great cost to organizations’ reputations and balance sheets. People pose three main risks to their employers: they make mistakes, they can be hacked or tricked, and they can choose to break the rules. Mistakes People regularly send the wrong thing to the right person or, alternatively, the right thing to the wrong person. This is known as misdirected email. For example, an employee who means to send a spreadsheet of financial projections to Jean Smith who works for the firm’s accounting partner, but accidentally sends it to John Smith who works for a different firm entirely. Being tricked “Bulk” phishing, malware and ransomware scams, where employees are deceived or coerced into sending data or money, are increasingly common. But a bigger threat comes from spear phishing emails; these are targeted attempts by sophisticated attackers who have researched genuine business relationships to launch highly convincing attacks. This could manifest, for example, in a cybercriminal impersonating a real supplier claiming to need urgent payment to process an order. Breaking the rules At the extreme end, this could be an employee deliberately selling company secrets to competitors. But it may also be the result of ignorance: for example, the lawyer who sends a spreadsheet to his personal email on a Friday to get some work done over the weekend. Some cases may need disciplinary procedures, others a simple reminder that this is not allowed. But every instance places data at risk and must be stopped before the information leaves the organization. All of these circumstances pose tremendous risks. Even if 99% of information sharing is secure, it only takes one rushed email to the wrong person to expose sensitive data and raise the chance of data loss or data exfiltration. DLP aims to minimize the chance of any of the above happening by catching sensitive information before it reaches the wrong person.
How can DLP for email protect an organization? Based on the main causes of data loss on email, there are two threats DLP must account for: Accidental Data Loss: To err is human. For example, an employee might fat finger an email and send it to the wrong person. While unintentional, this mistake could and has led to a costly data breach. DLP solutions need to be able to flag the email as misdirected before it’s sent, either by warning the individual or automatically quarantining or blocking it. Malicious Exfiltration: Whether it’s a bad leaver or someone hoping to sell trade secrets, some employees do, unfortunately, have malicious intent. DLP solutions need to be able to identify data exfiltration attempts over email before they happen in order to prevent breaches.
The limitations of rule-based DLP Unfortunately, DLP – especially rule-based DLP – can be a blunt instrument. These solutions include: Blocking accounts/domains Blacklisting email addresses Tagging data Not only is creating and maintaining the rules that police data within an organization time-consuming for administrators, but, oftentimes, these rules don’t succeed in preventing data exfiltration or accidental data loss. Why? New threats can evade pre-existing rules and employees or hackers can find workarounds. Rules simply don’t reflect the limitless nuances of human behavior and data loss is a human problem: it is people that share data and it is their actions that lead to data getting lost. To accurately detect when data loss is about to happen, you actually need to understand the context behind the action an employee is taking, rather than just the content that’s being shared. You can read more about the Drawbacks of Traditional DLP on Email here. How does Tessian’s email DLP solution work? While IT and security teams could work tirelessly to properly deploy and maintain rule-based DLP solutions to detect potential threats and limit the exposure of sensitive data, there’s a better, smarter way. Human Layer Security. Tessian uses contextual machine learning to address the problem of accidental or deliberate data loss by applying human understanding to email behavior. Our contextual machine learning models analyze historical email data to understand how people work and communicate. They have been trained on more than two billion emails – rich in information on the kind of data people send and receive every day. And they continue to adapt and learn as human relationships evolve over time. This enables Tessian Guardian to look at email communications and determine in real-time if particular emails look like they’re about to be sent to the wrong person. Tessian Enforcer, meanwhile, can identify when sensitive data is about to be sent to an unsafe place outside an organization’s email network. Do I need an email DLP solution? Each organization has different needs when it comes to DLP. But, email DLP is more important now than ever, especially with misdirected emails being the number one incident reported under GDPR.  But, it’s important to consider the biggest problems in your own organization, ease-of-deployment, and internal resources when choosing a solution. If your biggest concern is data exfiltration and you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Enforcer may be right for you. If your biggest concern is accidental data loss and – again – you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Guardian might be for you.
Data Loss Prevention Human Layer Security
Ultimate Guide to Staying Secure While Working Remotely
By Maddie Rosenthal
27 March 2020
The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture. In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
The risk involved in sending work emails “home” It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.  Personal email accounts can be compromised, especially as they are often configured with weak passwords Email is not a default encrypted medium. If an attacker were in a position to intercept your email, they would be able to read them, and any attachments if not encrypted Devices used to access personal email, such as personal laptops and mobile phones, may also be more easily compromised than work devices safeguarded by your company The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.  Public Wi-Fi vs. using a personal device as a hotspot While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access. While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place. As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted. For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.  As an employee, here’s what you can do to be safe: When connecting to a service over the internet, check the address bar to ensure the protocol used is HTTPS, not HTTP. If you’re using a service from your employer that isn’t HTTPS, avoid connecting and let alert your IT team of the oversight.  Ensure you keeping VPN software on work devices up-to-date Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.  From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.  This may be easier to understand with an example. Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.  Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
Best practice around using cloud storage to share documents For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information. Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password. But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider: How the data is backed up Risks associated with denial of service (DOS) attacks  Legal complications that may arise from certain types of data being stored overseas Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service. At Tessian, we use Google Drive. It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution. Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important. Conferencing and collaboration tools Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations. IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.  We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely. Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.  For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.   
How to physically protect your devices Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device. In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft. While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated. Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.  This has the added benefit of showing clients or other professional contacts that the business takes security seriously. About that OOO message… “Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…” It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker. When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.  Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker. Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away. Top tips for businesses setting up remote-working policies…. Keep policy points clear and concise and support them with similarly written procedures. Employees cannot practically absorb or retain 60+ pages of security policy, especially not overnight. When approving the use of new tools or software, always communicate the change to your employees, including guidelines on how and where to access them. Remember that users are going to make mistakes because they are human. Support them and encourage them to report issues, rather than making them afraid to admit to a mistake. Give clear channels for reporting such issues, supported by technical and human resources; for example, guidance on how to report a potential phishing email along with a method to contact support in the event of account lockout. Consider other technical challenges, such as how your support team can verify user identity when asked to reset a password or perform other remote technical support functions. Ensure your support team is trained and briefed to offer remote workers reassurance and understanding when a security issue arises. Remote workers need to feel connected with their colleagues during difficult moments. Top tips for employees working from home… Use company-approved cloud or VPN services to access work documents instead of emailing sensitive information to your personal email accounts. Don’t download new software or tools without consulting your IT team. Keep your software and operating systems up-to-date. Always lock your laptop and keep all of your devices password-protected. Avoid public Wi-Fi and don’t rely on personal hotspots; whenever possible, find a secure, stable network to connect to. Before you join that call or connect to that site – especially if it requires installing new software – stop and think about the potential implications. If you’re not sure, ask your colleagues or support team for help. If you make a mistake and find yourself alarmed or fearful, it’s important to stop, think, and get someone else involved to support you. Report near misses. If you almost make a mistake, the odds are that others have also almost done the same thing. By sharing this information, your colleagues will be better informed and your business can modify procedures or applications to help prevent the issue ever occurring. During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.  FTC online security tips for working from home NCSC issues guidance as home working increases in response to COVID-19 We’ll also continue sharing best practice tips both on our blog and on LinkedIn. 
Human Layer Security
5 Key Takeaways Tessian’s VentureBeat Webinar
By Maddie Rosenthal
27 March 2020
As a follow-up to our feature in VentureBeat’s special issue AI & Security, Tessian’s Co-Founder and CTO Ed Bishop spoke with Joe Maglitta, Senior Contributor/Analyst at VentureBeat, to dive deep into how and why we need a different type of machine learning to protect people at work on email.  While you can watch and listen to the webinar on-demand here, below are some of the key takeaways from the discussion and live Q&A that followed.  The way we work has changed and will continue to change Over the last decade, business has moved – and continues to move – towards digital interfaces. That means that email is now the main artery of communication and, importantly, where an organization’s most sensitive information is shared.  Unfortunately, email isn’t secure. It wasn’t created to be secure and – the surprising truth is – it hasn’t changed much since its inception. When you compound that with the fact that people are more connected than ever, using phones, tablets, and even watches to check and respond to emails, you can see why it’s so important that we protect people – and therefore data – on email.  This evolution towards digital interfaces has come to a head over the last several weeks as most of the world’s organizations have moved to remote-working in light of the outbreak of COVID-19.  Since the outbreak, Tessian has seen a 20% increase in the number of emails sent; that means there are more opportunities for data loss on email and opportunistic phishing attacks than ever before.
Human Layer Vulnerabilities are the cause of data breaches  Employees control business’ most sensitive systems and data, whether that’s someone in your finance department who oversees billing and banking platforms or someone in your HR department who controls employee social security numbers and compensation plans. They are the first and last line of defense; the gatekeepers of digital systems and data. This is what we call the Human Layer. And people’s propensity to make mistakes, break the rules, or be hacked are Human Layer Vulnerabilities. But, these vulnerabilities don’t cause small issues. They’re responsible for big problems. They’re the number one cause of data breaches, with 88% of data breaches reported to the UK’s Information Commissioner’s Office (ICO) being caused by human error.  This fact was highlighted in a live poll conducted during the webinar in which 40% of viewers said phishing was the security breach they’re most concerned about. This came first, followed by accidental data loss (30%) and ransomware (30%).  No one cited Denial of Services or Ransomware as their biggest concern.
IT and security leaders often don’t have visibility of the problems associated with human error within their organization While human error on email is a problem in itself, the fact that many CISOs and other executives don’t know it’s a problem makes it even more of a challenge to solve. In the second poll of the webinar, viewers were asked: “How confident are you in the measures your organization has in place to prevent data breaches caused by people making mistakes, breaking rules, or being hacked?”  Respondents were split down the middle.
But, according to Ed, confidence – especially from security leaders – is the wrong way to measure it, especially when their visibility of the problem relies on their employees repointing mistakes or other breaches. “We like to look at what the data says. When we go in and do historical analysis, we’re able to show that the number of misdirected emails is as great as 20-30 times larger than CISOs think. A 10,000-person organization will send 130 misdirected emails a week, but the CISO doesn’t necessarily know that because only a few get reported to him or her a quarter.” Human Layer Security isn’t replacing machine layer security, DLP, or training There are thousands of security products on the market. That’s in addition to the policies and procedures implemented within individual organizations. Human Layer Security isn’t a replacement for your entire security stack; it’s a vital addition. Machine layer security  – often based on rules – is still effective in detecting malware. DLP solutions for physical security are still necessary. But, for those situations that can’t be defined or covered by “if this, then that” algorithms, you need something else.  Advanced threats caused by human error like spear phishing, misdirected emails, and data exfiltration all fall into that category and the only way to solve for them is by protecting the Human Layer.
Stateful machine learning is the best way to balance security, productivity, and effectiveness  Everything involving humans is dynamic and in flux. Relationships are formed during the duration of a project and then fall away. For example, you may have worked with a counterparty a lot a year ago, but now it’d be unusual for them to email you asking for an invoice to be paid. Stateful machine learning considers all of this by combining historical data with real-time analysis to answer the question: “At this exact moment in time, for this person, and their relationship, does this behavior look unusual?” Beyond this, though, stateful machine learning and Tessian’s Human Layer Security platform do not get in users’ way; this helps balance productivity and effectiveness in a way that policies, training, removal of access and rule-based technology all do. This is key; security should empower and enable your employees, not detract from their ability to do their jobs. For more information about how Tessian uses stateful machine learning to protect people on email, read the full VentureBeat article, watch the webinar, or get in touch for a demo.
Data Loss Prevention Human Layer Security
How Can Organizations Empower People to Prevent Data Exfiltration?
By Maddie Rosenthal
24 March 2020
As data has become valuable currency, data exfiltration is a bigger issue now than ever before. And, while it’s a complex problem to solve, it’s not a losing game. Techniques and technologies have been evolving and today we are better able to control and prevent data exfiltration. To successfully prevent data exfiltration, you have to understand the various moving parts. When it comes to protecting data, there are three key challenges: People Processes Technology
Preventing Data Exfiltration With People: The Role of Training Since old-school software and keyword tracking tools have proven largely ineffective at preventing exfiltration, some security teams have proposed that rather than relying only on software, people should be trained on how to safely manage data and information.  Training allows employees to learn about internal policies, regulations like GDPR and CCPA, and other best practices around data. But, it’s important that organizations reinforce training with practical applications. Some training will reinforce company policies and compliance with data privacy regulations. but the majority of training and awareness programs center on teaching employees about inbound threats like phishing attacks and BEC. Very few training and awareness programs educate employees about outbound security risks like accidental and deliberate data loss.  Preventing Data Exfiltration With Processes: In-Situ Learning To really empower employees to work securely and prevent data exfiltration, organizations have to look beyond compliance training to in-situ learning opportunities provided by contextual warnings, triggered by suspicious activity.  Beyond preventing breaches, these warnings help promote safe behavior by asking employees to pause and think “Am I making the right decision?” But, too many warnings or pop-ups may have the opposite effect. Take, for example, pop-ups that prompt you to accept cookies on websites. Because most of us encounter these on every website we visit, we ignore them or blindly click to consent. This is called alert fatigue; the more pop-ups you see, the less you care about them. The same applies to in-situ learning. If employees encounter notifications warning against risky behavior on 25% of emails they send, they’ll stop paying attention to them. So, what’s the solution? Warnings should only trigger when there’s a genuine security risk. That means security software must be able to distinguish between normal emails and suspicious ones with the utmost accuracy. Warning notifications should also contain relevant and easy-to-comprehend information about why the email has been flagged to help reinforce security training with context.  Tessian Enforcer, Guardian, and Defender do just that. 
Preventing Data Exfiltration With Technology: Machine Learning Even with training and in-situ learning, organizations need a final line of defense against data exfiltration. For many organizations, that last line of defense is rule-based technology.  But, rule-based solutions are blunt instruments.  The best way to illustrate this is through an example.  To prevent data exfiltration on email, an organization might block communications with freemail accounts (for example, @gmail, @yahoo, etc.). But, imagine the marketing department outsources work to a freelancer. In that case, the freelance worker may use a freemail account. When the employee attempts to communicate with this trusted third-party, the email would be blocked and the employee will be unable to carry out their work. Unlike rule-based solutions, ML-based solutions like Tessian are agile.  Tessian’s machine learning algorithms are trained off of historical email data to understand evolving human relationships on email. Instead of relying on rules to flag suspicious emails, it relies on context from millions of data points from the past and present. That way, solutions like Tessian Enforcer and Tessian Guardian are able to uniquely understand every email address in an organization’s network and can, therefore, automatically (and accurately) identify whether a recipient is a trusted third-party or an unauthorized non-business account.   Learn More About How Tessian Empowers People to Work Securely Preventing data exfiltration requires well-trained employees and intelligent solutions. To learn more about how Tessian combines in-situ learning with machine learning to reinforce training and prevent data loss, request a demo.  
Customer Stories Human Layer Security
Cybersecurity Awareness Should Be People-Centric, Too
13 March 2020
The first speaker at Tessian Human Layer Security Summit on March 5 was Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential.  He started his presentation by citing three fundamental flaws in cybersecurity awareness training: It’s boring It’s often irrelevant  It’s expensive 
So, should we do away with it entirely? Not quite. Cybersecurity training is a necessary evil Cybersecurity professionals who implement training programs and employees who take part in these training programs can no doubt attest that the three flaws Mark mentioned are an unfortunate reality.  But, what’s the solution? Training is, after all, a necessity. Without it, employees would rely entirely on often small and overworked IT and cybersecurity teams to prevent incidents and mitigate the consequences afterward.  That’s not just a tall order; it’s completely unfeasible, especially when human error is the most prevalent cause of data breaches. That means every individual must be held accountable.  By educating employees about data privacy laws, password best practices, and how to spot phishing scams, cybersecurity becomes the collective responsibility of the organization, not just those who have a relevant title. With that said, Mark isn’t suggesting that organizations do away with cybersecurity awareness training. Instead, he’s saying that in order for it to be effective, it needs to be aligned to the individual business.  To do that, you have to get to know the business, the people in it, and their attitudes towards security. And, according to Mark, the best indicator of future behavior is confidence. The cybersecurity culture survey
Influenced by the work of Phillip Tetlock, Mark created a survey with predictive power. But, unlike your average survey that simply gauges knowledge, this survey gauges confidence.  Importantly, the survey focused on five key competencies: Business focus Cyber risk assessment Policy and best practice Cybersecurity advocacy Personal practice The thought process is simple: a survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence. Both responses signal the potential for equally risky behaviors. Beyond that, though, the responses – either correct or incorrect – represent an area that requires targeted training and intervention. How can you apply this to your cybersecurity strategy? While Mark shared the results of the survey he conducted (which you can see by watching the full presentation on our YouTube channel) his findings won’t help cybersecurity professionals fine-tune their own training. The key here is that awareness training needs to be customized.  Without gauging not just the knowledge but the confidence of your employees, you’re essentially blind to the cybersecurity risks within your organization. And, of course, your efforts run the risk of being deemed “boring”, “irrelevant”, and “expensive” with no tangible upside. For more insights garnered from Tessian Human Layer Security Summit, click here.  #HumanLayerSecuritySummit20  
Human Layer Security
How to Create an Enduring and Flexible Cybersecurity Strategy
11 March 2020
At Tessian Human Layer Security Summit on March 5, four of Tessian’s customers engaged in an in-depth panel discussion about cybersecurity trends for 2020, the importance of creating a positive security culture in an organization, and the impact of human error.  All of the panelists, including Timor Ahmad from Lloyds of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance offered incredible and diverse insights and, in pulling these insights together, we’ve created a mini-guide for other cybersecurity professionals. Here are five things to consider when creating and implementing a cybersecurity strategy according to Tessian’s customers.
Cybersecurity strategies must constantly evolve While cybersecurity strategies are long-term and take time to both implement and iterate, they must also be mutable. Why? Because in addition to the ever-evolving threat landscape,  there are plenty of other internal and external factors to consider. For example, privacy laws, regulations, compliance standards, company size, board members, budgets, and individual employees all affect an organizations’ security posture and should, therefore, influence strategies. Even a global health crisis like Coronavirus, which Mark Parr from HFW referenced, is something that impacts security strategies, especially with more and more organizations implementing remote working policies due of the outbreak. While, yes, It’s a minefield, organizations have to consider and reconsider these moving parts and, in doing so, constantly evaluate and re-evaluate their strategies and frameworks to keep data, networks, devices, and people secure.  Privacy laws and regulations are top-of-mind With the two-year anniversary of GDPR just around the corner, other nations and even individual states in America are adopting their own data privacy laws. These, of course, are in addition to those already enforced by government agencies like the FCC and the ICO.
The growing number of regulations are especially pertinent for organizations that handle customer or client data. And, while the fines for a breach are hefty under these new compliance standards, organizations have a lot to gain by keeping internal and external data secure. Being transparent and secure about data protection bolsters credibility and trust. Security can (and should) fuel overall business objectives As data becomes more and more of an asset to protect, cybersecurity is becoming a less siloed department and more integrated into overall business functions. Again, this is especially the case for organizations that handle customer or client data. In fact, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  Engaging with employees about security is tough, but not impossible As the Human Element continues to be one of the biggest risk factors in data breaches, it’s absolutely essential that those in cybersecurity leadership positions make a pointed effort to engage with their employees to communicate risks and responsibilities.
Of course, anyone in a cybersecurity leadership position knows this is no easy task.  According to our panelists, though, the key is to find new ways to tell the same story. Some use gamification and positive reinforcement while others rely on more interactive content like videos and podcasts.  Whatever the method or medium, the most important thing is that risks and responsibility – which the entire organization bears the burden of – are translated so that everyone across departments and levels of seniority can understand. Accountability is required company-wide As we’ve said, cybersecurity is no longer siloed. That means that accountability is required company-wide in order to make policies, procedures, and tech solutions effective. But, according to our panelists, employees and even board members are becoming less passive in their roles as they relate to cybersecurity.  This is a big relief for IT and security teams, especially when the threat of human error is one of the biggest challenges we’re up against.  Learn more Keen to watch the full Human Layer Security Summit and see what our other guest speakers – including a hacker – had to say? Watch the video on our YouTube channel. You can also read key takeaways from the day here. #HumanLayerSecuritySummit20
Human Layer Security Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
09 March 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
#HumanLayerSecuritySummit20
Human Layer Security
Insights from Tessian Human Layer Security Summit | London 2020
05 March 2020
On March 5, 2020, Tessian hosted the world’s first Human Layer Security Summit where we brought together speakers from Prudential, Lloyd’s of London, Herbert Smith Freehills, Clifford Chance, HFW and Tradecraft to talk about security culture, the Human Element, and the evolving threat landscape. We had hundreds of people join us in-person in London and from around the world via livestream. In case you missed it, you can watch a recording of the event here:  While the focus of the Summit centered around Human Layer Security and why we need to protect people (not just networks and devices), the speakers and panelists offered a diverse range of insights into the challenges cybersecurity professionals are up against and, importantly, how they try to solve them.
It takes a village to secure an organization’s data, devices, and networks Accountability is required company-wide in order to make policies, procedures, and tech solutions effective. That’s why those in cybersecurity leadership positions are laser-focused on finding new ways to engage with employees through gamification, interactive content, podcasts, and more.
According to Timor Ahmad from Lloyd’s of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance, employees are, fortunately, becoming less passive in their roles as they relate to cybersecurity.  As the Human Element continues to be one of the biggest risk factors in data breaches, individuals have to do their part to supplement their cybersecurity stack. This is especially important because, by empowering your employees, you’re taking the burden not only off them, but off of your information security team. For smaller teams, this is vital. For more insights from the panel discussion, click here. Cybersecurity frameworks and strategies can’t be static There’s a lot that goes into creating an effective cybersecurity framework and strategy. They take months – even years – to create and implement. But, they have to constantly evolve in tandem with both external and internal factors. Privacy laws, regulations, compliance standards, company size, board members, budgets, individual employees – even the Coronavirus! – all effect and should, therefore, influence strategies. It’s a minefield, but unless all these things are considered and constantly re-evaluated, organizations will put themselves at risk.  It takes a cybersecurity strategy that’s customized, and re-customized, to keep networks and devices secure and to empower and enable employees to make smart security-related decisions. Breaking in is easier than defending While spam, phishing scams, and more targeted attacks like spear phishing are relatively easy for attackers to pull off, spotting these nefarious emails is hard…even with training. Interestingly, though, according to Glyn Wintle, an ethical hacker and penetration tester, employees tend to be incredibly confident in their ability to spot phishing emails, with just 3% of people saying they have a low probability of falling for a phishing scam.
Unfortunately, confidence doesn’t equate to actual ability, especially when hackers combine bulk email lists, technical acumen, and social engineering.  By abusing trust, piquing curiosity, and/or creating a sense of urgency, hackers can get whatever it is they’re after – from log-in credentials to a bank transfer – from at least one person out of the tens, hundreds, or thousands they’ve emailed. Interested in learning more about cybersecurity from a hacker’s perspective? Click here. There are some fundamental problems with cybersecurity awareness training Mark Logdson sees three problems with cybersecurity awareness training: it’s often irrelevant to the audience or user, it’s generally quite boring, and it’s expensive in terms of investment and lost productivity during the training itself.  Mark said it best, “We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect “Johnny” to be grateful for having spent that time in the training and to have been thoroughly entertained.” You also hope he’s learned something. This likely sounds familiar to both cybersecurity professionals who implement awareness training programs and the employees who take part in – or should we say endure – quarterly or annual training sessions. Of course, Mark isn’t suggesting that organizations do away with cybersecurity awareness training; he’s simply saying it needs to be more tailored to the risk areas in each individual organization in order to be most effective. You can read more about Mark’s approach here.
Cybersecurity isn’t just a support function, it’s an enablement function While cybersecurity has historically been a very siloed department within organizations, it’s becoming not only more integrated into overall businesses, but it’s also becoming an enablement function. In short, board members and employees across departments see the value in information security. In fact, more and more, representatives from cybersecurity teams are being called on to promote a business’s value proposition through its security. It makes sense, though, especially for organizations that handle large amounts of external data for clients or customers. In this case, security becomes a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  The insights offered at our first-ever Human Layer Security Summit were invaluable, not only for cybersecurity professionals, but also for employees and consumers. We’ll be announcing the next Human Layer Security Summit soon, so be sure to subscribe to our newsletter for the latest industry and company updates.   #HumanLayerSecuritySummit20
Human Layer Security
RSA Recap: The Human Element is More Than a Buzzword
By Erez Haimowicz
04 March 2020
Last week, Tessian was at RSA 2020 in San Francisco. While this was only my fourth month at Tessian, this was my ninth year at the annual cybersecurity conference, which I’ve previously attended on behalf of Mimecast, Proofpoint, and Cofense when I was part of their respective teams.  Last year the agenda was very much focused on automation, machine learning (ML), and artificial intelligence (AI), but this year, the theme was much more…human. More specifically, it was the Human Element. What is The Human Element? This theme, of course, resonates with all of us here at Tessian. After all, it’s why we’ve created Human Layer Security.  Humans and our propensity to break the rules, make mistakes, and get hacked are the foundation for everything we do at Tessian. We believe humans are an organization’s biggest asset, so long as they are empowered to make smart security-related decisions.  But, how do you actually enable and empower people to make those smart security-related decisions? How do you actually protect the Human Element?  While Tessian is clear and confident that stateful machine learning is the most effective way to protect the Human Layer, it seemed like a lot of other vendors relied on strong messaging alone to align with this year’s RSA theme and didn’t necessarily have the technology or functionality to back that messaging up. The Human Element Applies to Both Inbound and Outbound Threats If you look at cybersecurity historically, solutions have been focused on protecting networks, endpoints, and devices. You know, machines. But phishing isn’t a machine or technology-related problem. It’s a human problem. Sure, we can use spam filters or Secure Email Gateways (SEGs) to mitigate the risk, but it’s inevitably people that are both behind the attacks and the last line of defense. What about awareness training and phishing simulations? While this type of solution may have a positive effect in the short-term, the immediate gains wane over time as people forget the training and revert back to old behaviors. Tessian even published a report examining this problem. Phishing is – and has been – a hot topic and the inbound space is crowded with vendors that claim to protect organizations from this type of attack. But, the Human Element isn’t limited to inbound threats. It’s just as – if not more – relevant to outbound threats. Misdirected emails, insider threats, accidental data loss…these are all human problems that not only rely on people being aware of security policies and best practice, but also rely on people doing the right thing 100% of the time. This is a tall order when they are in control of more sensitive data and systems than ever before. Unfortunately, to err is human. And that – in a nutshell – is the problem. Humans will make mistakes. Humans will break the rules. Humans will get tricked or hacked. Visibility is Key Fundamentally, CISOs and other IT decision-makers understand this, but they may not have always understood exactly how big of a problem the issue of human error is. And, in my experience, visibility of the scope of the problem is the lifeblood to any cybersecurity strategy or framework.  Vendors know this, which is why we see so much messaging focused on fear-mongering; messaging focused on the size and scale of the problem with alarming stats that seem to only be trending upwards. We’ve been guilty of this in the past, too. But CISOs are tired. They want strong solutions, not strong messaging.
Strong Messaging Doesn’t Solve Cybersecurity Challenges It’s safe to say – especially given this year’s theme – that today, the cybersecurity industry and professionals within the industry have started to wise up to the problem of human error beyond phishing. In particular, they understand the challenges and consequences associated with accidental data loss and data exfiltration, and are beginning to have visibility of the scope of these problems, too. But they have very few solutions. While a lot of vendors shouted about the Human Element this year, their product offering hasn’t changed since last year, when they were shouting about AI, ML, and automation.  SEGs and other cybersecurity solutions don’t suddenly empower employees to inspect and identify threats with 100% accuracy just because their messaging is now more people-focused than it has been historically. Actually solving problems related to the Human Element takes innovation and disruptive technology that challenge widely-accepted – albeit ineffective – approaches that have previously been classed as best practice. A new tagline isn’t enough. The Future of People-Focused Cybersecurity Solutions Cybersecurity is a broad, expansive industry that seeks to solve an incredible range of problems. There are firewalls, web applications, password managers, sandboxes, and simple spam filters and new start-ups are cropping up nearly every single day claiming to solve for one or more of these problems. Why? Because the industry is one of the most important today given the digital landscape and is incredibly valuable because of that. In fact, the global cybersecurity market has grown 30x in the last 13 years and the industry received record venture capital investment in 2019.  But, growth is only good if we as an industry look at the problems we’re solving holistically. If we collectively recognize the Human Element is a challenge we’re up against, the next generation of cybersecurity solutions have to take a new approach to protecting human-digital interactions. Tessian is doing just that by creating Human Layer Security, a new category in the industry. We protect people on email from both inbound and outbound threats with stateful machine learning.  It’s not just messaging, it’s our genuine product offering.  Interested in how Tessian’s Human Layer Security platform can protect your data by protecting your Human Element? Book a demo now.
Human Layer Security
To protect people, we need a different type of machine learning
By Ed Bishop
29 February 2020
Despite thousands of cybersecurity products, data breaches are at an all-time high. The reason? For decades, businesses have focused on securing the machine layer — layering defenses on top of their networks, devices, and finally cloud applications. But these measures haven’t solved the biggest security problem — an organization’s own people. Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex. This is why “stateful machine learning” models are critical to security stacks. The people problem
The problem is that people make mistakes, break the rules, and are easily hacked. When faced with overwhelming workloads, constant distractions, and schedules that have us running from meeting to meeting, we rarely have cybersecurity top of mind. And things we were taught in cybersecurity training go out the window in moments of stress. But one mistake could result in someone sharing sensitive data with the wrong person or falling victim to a phishing attack. Securing the human layer is particularly challenging because no two humans are the same. We all communicate differently — and with natural language, not static machine protocols. What’s more, our relationships and behaviors change over time. We make new connections or take on projects. These complexities make solving human-layer security problems substantially more difficult than addressing those at the machine layer — we simply cannot codify human behavior with “if-this-then-that” logic. The time factor We can use machine learning to identify normal patterns and signals, allowing us to detect anomalies when they arise in real time. The technology has allowed businesses to detect attacks at the machine layer more quickly and accurately than ever before. One example of this is detecting when malware has been deployed by malicious actors to attack company networks and systems. By inputting a sequence of bytes from a computer program into a machine learning model, it is possible to predict whether there is enough commonality with previously seen malware attacks — while successfully ignoring any obfuscation techniques used by the attacker. Like many other threat detection problem areas at the machine layer, this application of machine learning is arguably “standard” because of the nature of malware: A malware program will always be malware. Human behavior, however, changes over time. So solving the threat of data breaches caused by human error requires stateful machine learning.  Consider the example of trying to detect and prevent data loss caused by an employee accidentally sending an email to the wrong person. That may seem like a harmless mistake, but misdirected emails were the leading cause of online data breaches reported to regulators in 2019. All it takes is a clumsy mistake, like adding the wrong person to an email chain, for data to be leaked. And it happens more often than you might think. In organizations with over 10,000 workers, employees collectively send around 130 emails a week to the wrong person. That’s over 7,000 data breaches a year. For example, an employee named Jane sends an email to her client Eva with the subject “Project Update.” To accurately predict whether this email is intended for Eva or is being sent by mistake, we need to understand — at that exact moment in time — the nature of Jane’s relationship with Eva. What do they typically discuss, and how do they normally communicate? We also need to understand Jane’s other email relationships to see if there is a more appropriate intended recipient for this email. We essentially need an understanding of all of Jane’s historical email relationships up until that moment. Now let’s say Jane and Eva were working on a project that concluded six months ago. Jane recently started working on another project with a different client, Evan. She’s just hit send on an email accidentally addressed to Eva, which will result in sharing confidential information with Eva instead of Evan. Six months ago, our stateful model might have predicted that a “Project Update” email to Eva looked normal. But now it would treat the email as anomalous and predict that the correct and intended recipient is Evan. Understanding “state,” or the exact moment in time, is absolutely critical.
Why stateful machine learning? With a “standard” machine learning problem, you can input raw data directly into the model, like a sequence of bytes in the malware example, and it can generate its own features and make a prediction. As previously mentioned, this application of machine learning is invaluable in helping businesses quickly and accurately detect threats at the machine layer, like malicious programs or fraudulent activity. However, the most sophisticated and dangerous threats occur at the human layer when people use digital interfaces, like email. To predict whether an employee is about to leak sensitive data or determine whether they’ve received a message from a suspicious sender, for example, we can’t simply give that raw email data to the model. It wouldn’t understand the state or context within the individual’s email history.
People are unpredictable and error prone, and training and policies won’t change that simple fact. As employees continue to control and share more sensitive company data, businesses need a more robust, people-centric approach to cybersecurity. They need advanced technologies that understand how individuals’ relationships and behaviors change over time in order to effectively detect and prevent threats caused by human error. *This article is part of a VentureBeat special issue. Read the full series here: AI and Security.
Human Layer Security Spear Phishing
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
28 February 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Page