Opportunity in Cybersecurity: Q&A With Carolann Shields From KPMG
By Maddie Rosenthal
Saturday, January 25th, 2020
Carolann Shields was recruited for a Chief Information Security Officer role at KPMG LLP almost 7 years ago after rising through the ranks at McKinsey & Company. Starting in system reconciliation and deployment, going on to managing development for all of their enterprise systems, and then to becoming the IT Security Program Manager (de facto deputy CISO).  Throughout her career and to date, she’s driven more than fifteen company-wide cybersecurity initiatives and has done so by developing collaborative, positive security cultures and multi-faceted teams. While Carolann had an interest in math and aced computer classes from a young age, she actually studied and earned a degree in Business Studies in Ireland  before starting down the path to cybersecurity. Having a background in business has shaped her style and approach to security, driving a focus on efforts that reduce an organization’s overall cyber risk.
Q. Describe your role as a CISO in 300 characters or less. I lead a team with complimentary talents and skills to work together effectively and bring transparency to an organization’s cyber risk in order to identify and design solutions and processes to mitigate those risks. I also educate and influence behavior to ensure compliance and protection while making security a commercial benefit, not just a cost. Q. What would encourage more women to pursue roles in cybersecurity? Need is the mother of invention. Highlighting the number of open positions and highlighting the fact that there are women with these skills in and outside of the industry is the first step. The fact is, you’re cutting out 50% of the population when you don’t create an environment for women where they feel they can excel and actually progress in their careers. Even if you hire a lot of women – which we’re seeing now they don’t move through the ranks as easily because they don’t have enough role models or advocates. That’s why it’s so important that the women that do become successful reach back to support the women who are coming behind them. Encouragement is incredibly meaningful, and it doesn’t take much for leaders to give it.  Q. With that in mind, can organizations really ever guarantee diversity within teams? When you decide you’re only going to hire the most qualified or the one with the most potential , you naturally have diversity. On the other hand, if you start saying I’m only going to hire women, or men, or this ethnic group or that religious group, the goal of recruitment breaks down. Decisions-makers should only be interested in your brain and emotional intelligence. Who is the most qualified with the most potential? That’s who you should want for that role. Q. Have you had role models or advocates throughout your life who enabled you to achieve the success you have? The CISO at McKinsey at the time I started working there was a woman, Denise Hart, who has since retired, so it never even occurred to me that it wasn’t possible to achieve what she had or that it was in any way unusual that she had because she was a woman. On top of that, I had a father whose beliefs were sort of the reverse of what we typically think of.. He believed that men should be out physically working and that women were much better as lawyers and accountants and doctors. For me, there were no limits as a child growing up about what I could be from a career perspective. Q. What are some of the skills, interests, or personal attributes that lend themselves to a career in cybersecurity? People who care about consequences and the bigger picture and who understand the larger impact of their role in an organization are the ones who will be successful and really excel in this industry. It shouldn’t be about just a paycheck; you need to care about what you do. Why? The vast majority of organizations get hacked because of mistakes; someone clicks on a link, firewalls are misconfigured, access is overly permissive etc. The way to really prevent that is to have people care about their work so that they pay attention to the details, identify mistakes early and correct them before there is any harm done. Q. Are there any misconceptions about cybersecurity that you want to set straight? Security teams believe in the mutual benefit of being safe, which makes it collaborative by nature. While – yes – some of the most talented security engineers are at their desk working alone, a lot of it is about relationship building and collaboration and working with teams to develop and manage secure solutions. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Nielsen, Funding Circle and more. #TheFutureIsCyber
Customer Stories, DLP, Human Layer Security
Insights on Human Layer Security from Tim Fitzgerald, CISO of Arm
Thursday, January 23rd, 2020
In case you missed it, on January 22 Tim Sadler, Tessian’s CEO and co-founder, hosted our first webinar of the year which explored the biggest threat to an organization’s security: its employees. To understand the risk of human error in the workplace and how Tessian’s Human Layer Security platform is able to mitigate that risk, Tim S. was joined by Tim Fitzgerald, the CISO of Arm for a live Q&A. Before joining Arm over two years ago, Tim F. served as the CSO of Symantec for over five years. He has a special interest in digital data and human security. Arm is a customer of Tessian’s, and has deployed Tessian Defender,  Tessian Guardian, and Tessian Constructor. Consequently, Tim F. is not just attuned to the security risks associated with employees making mistakes, he understands how best to combat those risks. While you can listen to the full webinar and Q&A on-demand here, below are some of the key takeaways from Tim Fitzgerald. Where does risk really exist? Tim Fitzgerald: “It is very ‘sexy’ in security to talk about big hacking groups and use that as justification to invest in security. And there’s a lot of legitimacy behind that. But the other side of the narrative – which we spend more time on now than nation-state type threats – is how do we not do it to ourselves? Because now we’re more often dealing with avoidable events caused by predictable human error.” “I think, in general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem rather than just passing blame.” To err is human, but people are (generally) well-intentioned TF: “I very much chafe at the idea that we think of our employees as the weakest link. It underserves peoples’ intent and how they choose to operate. Rather than that, we try to take a look in the mirror and say ‘What are we not providing our employees to help them avoid these type of scenarios?’” “At Arm, we take the ‘people-are-people’ view. Not that they’re the weakest link; not that they don’t come with good intent; or that they don’t want to be good at their job; or that they take shortcuts just to get that extra moment of productivity. But, actually, everyone wants to do a good job and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.” The role of a CISO is people-centric TF: “I view my job in human security as somewhere between a sociology and a marketing experiment. We’re really trying to change peoples’ behaviors in a moment. Not universally, not their personal viewpoints. But will they make the right decision in this moment to do something that won’t create security risk for us? Evolving that strategy relies not just on how we influence behavior in that moment of time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job?” “Security is ultimately my responsibility. But, we very much rely on what we consider our extended security team, which is all of our employees. Our view is that they can undo all the good that we’ve done behind them to try to compensate for the risk that normal human beings create.” Security solutions should empower employees TF: “By far the biggest single challenge we have is Arm’s ethos around information sharing. We have a belief – that has proven to be true – that this level of information sharing has allowed Arm to be extraordinarily successful and innovative. There’s no backing up from that, and that represents a huge amount of challenge; that level of information sharing is quite difficult to manage. “Rather than saying people are an intractable problem and therefore we can’t conquer this, if we start thinking about how we can mobilize them as a part of our overall cybersecurity defense mechanism, it causes you to rethink whether or not you’re serving your populous correctly.”
Machine learning enables Human Layer Security TF: “What I liked about Tessian is that it gave us an opportunity to use the ML in the background to try and develop context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. Either way, we can get a sense of whether or not what they’re doing is causing us risk. It doesn’t require us to be completely prescriptive about what we’re looking for, but it allows us to learn with the technology – and with the people – what normal patterns of behavior look like and, therefore, intervene when it matters and not have to react every time an alarm goes off. “You have all this amazing context of what people are doing on email, which is where people spend most of their time and where most of the risk comes for most organizations. How can we turn this into more than just making sure someone doesn’t fat finger an email address or send sensitive files where they’re not supposed to go? Can we take the context that we’re gaining through how people are using email and create more of those moments in time to connect with them?” Tessian fits into a larger security framework TF: “We have a whole bunch of other mechanisms to protect against traditional insider threats – the people who are really acting against our best interest – but that instance is infrequent and high impact. The person who makes the mistake is high frequency, medium-to high-impact. We were getting hammered on that sort of stuff, which is why we came to Tessian.”
“When used correctly and in a finite environment or a finite data set, DLP solutions are very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try to deploy that broadly though…you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. You end up trying to write these very complex rules that are hard to manage.” The future of Human Layer Security TF: “Can we start to mesh together what we know about the technology and the machines with real human behavior? It’ll not only help us find those bad guys in our environments who we know are there, but also to get out in front of people’s behavior rather than reacting to it after it happens. That’s the holy grail of what this could become. To get – if not predictive – at least start leading us toward where we think risk exists and allowing us an opportunity to intervene before things happen.” Want to learn more about how Tessian helps Arm catch and stop accidental data loss with Tessian Guardian and prevent spear phishing attacks with Tessian Defender? Read the case study here.
Opportunity in Cybersecurity: Q&A With Gisela Rossi From Tessian
By Maddie Rosenthal
Monday, January 20th, 2020
Gisela Rossi is a Backend Software Engineer at Tessian who’s earned both her Bachelor’s Degree and Master’s Degree in Computer Science. Before starting at Tessian, she gained experience at Intel, Lyst, and Facebook and, for the last several years, has been very involved in the larger software community, specifically those communities that empower women and other minorities.  She’s a co-leader of PyLadies London, a member of the WISE Young Professionals Board, and a former mentor and volunteer at CoderDojo. 
Q. Describe your roles as a Backend Software Engineer in 300 characters or less I work with Python to build and create products that are used by Tessian’s clients to protect their Human Layer from data breaches. I work closely with product and customer success teams to ensure we’re building solutions that make an impact. Q. For those who might not be familiar, can you explain what Python is? Python is my favorite programming language. Different languages have different styles and different communities around the language. There are conferences, online groups, and other events and Python has one of the more diverse and inclusive groups around the language. I’m actually one of the organizers of PyLadies London. It’s not just the community, though. The language itself is really thoughtful.  You can compare a programming language to what those of us in computer science call a “natural language”…English, French, Japanese. At the end of the day, they all serve the same purpose. You can have the same conversations but in different languages. Just like you’d have a preference in a natural language, you can have a preference in a programming language.  Q. And what about PyLadies London, what’s that? The real goal is to encourage minorities to be more active participants in the Python community and, for some maybe do a career change into the industry. There are talks, workshops, etc. It’s really about mentorship and empowerment. Q. Do you think more mentors or role models would encourage more women to get involved in the industry? I think mentorship is especially important for minorities – not just women – because we have to overcome different challenges. And those challenges aren’t necessarily big hurdles. For some people, it can be several small things.  It could be a professor you have or a bad internship. One bad manager or experience isn’t representative of the whole industry, but it can be demotivating if you don’t know that there are more positive environments where these things don’t happen. That means those of us already in the industry have to fight the fight! More than anything though, you need more minorities to be decision-makers. You need those people in higher positions to demonstrate what’s possible and empower others to do the same.  It’s especially important because the problems you solve in this industry are interesting, the work is fun, you’re well compensated. There are a lot of benefits if you can overcome the lack of diversity. But, you do need a diverse group of people to have a better chance of solving those problems. Age, race, gender…the more diverse the group, the more diverse the ideas. Q. What problems have you been most interested or focused on so far in your career? Data. All of our data is available online and when you consider all the people who could potentially access that data, you can start to see how big the industry’s scope is.  The average person doesn’t realize how valuable their data is. People hand over their personal information for a free voucher without thinking twice about it. They don’t have bad intentions, of course, but from a security perspective, that’s a big risk. If you input your email address, home address, and phone number into a site that isn’t secure and that site gets hacked…you’ve got a big problem. At the end of the day, you are your data. So, what happens when someone steals it?  But, it’s not even just scary from the perspective of hackers. Massive corporations and governments hold a lot of our data, too. What happens if they misuse it? That’s something that we’re trying to figure out in this field. We’re trying to mitigate that risk.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, IBM and more. #TheFutureIsCyber
Opportunity in Cybersecurity: Q&A With Niki Tailor From Tessian
By Maddie Rosenthal
Saturday, January 18th, 2020
Niki Tailor is a Platform Engineer at Tessian, where she’s worked for almost two years. Since starting, she’s been promoted to Team Lead and manages three people. Prior to joining Tessian, she worked first as an Analyst at Nomura, then as an Equities Technology Development and Operations Engineer at Bank of America.  Before entering the field, she earned her Bachelor’s Degree in Computer and Management Science.
Q. Describe your role as a Platform Engineer in 300 characters or less Security, stability, scalability, reliability, and automation of our Human Layer Security platform. As a Team Lead, I have people management responsibilities too, but day-to-day work involves solving problems, building new architecture, and empowering our engineering teams. Q. Have you always been interested in cybersecurity? Even though I studied Computer Science and Management, I didn’t always know I was interested in the field. My A-levels were a random mix of Math, French, Art and Economics. I didn’t know what I wanted to do so I chose a broad range of subjects that would allow me to pursue pretty much anything later on.  But there are a few tech professionals in my family, so I was exposed to it throughout my life. I was always taking a peek at what my dad was working on so, unlike a lot of other people, I knew the industry existed and what the path to it could look like. Q. How did you isolate Engineering as your area of interest from the larger umbrella of Computer Science? I’ve had a lot of opportunities both at University and through the work experience I got during and afterwards that have helped direct me towards what I enjoy the most.  My business-focused courses showed me that the technical, hands-on work was what I was most interested in and the work I did coding as a developer made me realize that sort of role probably wasn’t the best use of my skills. I think those experiences are really important. Even though I didn’t enjoy the work, it’s good to have an understanding of the theory behind each of these things. It’s helped me do better work in the roles I really like. Q. What interests you the most about the work you do? Working in a start-up that’s trying to solve really interesting real-world problems is the best part for me. The challenges around securing sensitive data are immense, but that’s where the most interesting challenges lie. As a comparison, I’m not working in a corporate environment where bureaucracy is a challenge. The work I do isn’t done with the goal of making rich people richer. I’m actually doing something good.  You read articles where businesses or charities get scammed and organizations lose millions and people lose their jobs. It’s rewarding to be a part of what’s preventing things like this from happening. Q. Does that sort of work lend itself to unlimited growth potential? The field is only going to get bigger. The problems we solve are only going to get bigger. I mean, right now, Tessian is solving the problem of security on email. Eventually, we’ll be solving the problem of security on all platforms.  That means there are so many opportunities to learn new things and exercise creativity. This is a field that really encourages trying, even if it means failing which means you never get bored. No two days are never the same.   This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
How a Gmail Design Flaw Causes Misdirected Emails
By Ed Bishop
Wednesday, January 15th, 2020
A seemingly innocuous and incredibly common occurrence like sending an email to the wrong recipient can have severe consequences. The sender of a misdirected email is often blamed for being careless, for not paying attention to detail and, in some cases, for being technically illiterate. This can set a culture of embarrassment for employees, which means many misdirected emails and their corresponding data breaches, are often not reported to line managers and compliance teams. Gmail Design Flaw A few years ago, Google added a feature to Gmail that suggests contacts to be added to an email’s recipient list. For example, if you add Jane and Sam to an email, it might suggest Ali, because Ali is often included on emails with Jane and Sam. Designed to be a productivity feature, this in itself could encourage a user to add a contact who maybe shouldn’t be included – resulting in a misdirected email. However, the focus of this article will be on what I consider to be an unpredictable UI (user interface) design flaw in the Gmail email compose window. We reported this flaw to Google’s Security Bug Report page on 18th December 2018. I consider this to be a relatively common email user flow: In a new email: Click in the recipient text area start typing the 1st recipient’s name, and press enter to select Start typing the 2nd recipient’s name, press enter to select Click in the Subject field to type desired email subject You can see this demonstrated in a video below: If you look carefully, as the second recipient is added—and after a significant delay, caused by an asynchronous API request—Google suggests that you might like to add two internal addresses to the email as they are often seen on emails with recipient 1 and recipient 2. But notice where Google positioned the “add recipient” hyperlink. It shifted the position of the subject text area down and placed the hyperlinks where the original subject text area was. The clickable hyperlink area is fully encapsulated by the old subject text area. In step 4 of the above user flow, if after adding the second recipient I quickly attempted to click in the subject text area, there is a chance that at that exact moment the delayed API request finishes, the subject bar shifts down, and I accidentally add an unintended recipient to the email. Ironically, I believe this unpredictable delay makes it more likely for a tech-savvy employee working quickly, — those who can navigate around the compose window more quickly than it takes for the API request to finish — to fall foul of this design flaw and accidentally misdirect an email. A Potential Fix There are many potential fixes, but I think a simple rule that “no UI component should unpredictably move” would solve this. I would suggest increasing the spacing of the default compose window so that the “add recipient” hyperlinks could fit above the subject bar without moving anything. Google’s Response We raised this design flaw with Google Security on 18th December 2018.
While Google does not feel it substantially affects the confidentiality or integrity of its users’ data, we disagree and believe this design flaw could lead to an increase in misdirected emails and data loss. Implications of sending misdirected emails can range from the embarrassing to the damaging, and can even lead to revenue loss due to reputational harm. Technology should be built and designed in a way to minimize human error, not increase the likelihood of it occurring. Update: this design flaw seems to only affect Gmail on browsers, not the mobile application.
Opportunity in Cybersecurity: Q&A With Amber Pham From TransUnion
By Maddie Rosenthal
Sunday, January 12th, 2020
Amber Pham is an Information Security Officer at iovation, a business unit of TransUnion. After earning her Bachelor’s Degree in Psychology, she transitioned into IT where she worked for over nine years, first as a Systems Administrator and then as a Systems Engineer for software and technology companies like Webtrends and Intel. She rounded out her IT experience with consulting and contracting and was able to gain a broad range of experience; this inspired her to go down a slightly different path and pursue a career in cybersecurity. She’s been working for iovation since then – except for a three-year stint in Amsterdam where she also worked as an Information Security Manager – and has watched both the organization and the industry grow exponentially. 
Q. Describe your role as an Information Security Officer in 300 characters or less I’m a people manager, which is probably my most important role. I ensure people feel supported and in cohesion with other teams to learn and grow. I’m also the central point of contact for the corporate business and, as a part of that, I work with Development and IT teams to get security work done. Q. How did you make the transition into cybersecurity after earning a degree in Psychology? When I came out of college with a Liberal Arts degree I had basically zero technical skills. But, tech companies were growing so fast that they were really willing to give people a chance and train them.  I got my “chance” thanks to a really good manager who recognized that I was a diligent worker and that I’d be able to figure the work out pretty quickly. That was working as tech support on a Help Desk, which is how I got into IT. I paid a lot of attention to the training and really just wanted to learn as fast as I could so that I could genuinely start contributing.  I didn’t actually even use my psychology degree until I got into my current role in security leadership. Understanding the psychology of motivation has been a key part of building a team and security program. Q. When did you make your move from IT to cybersecurity? I went out to do some contracting and consulting. That’s really where I grew the most. You learn a lot faster because you’re throwing yourself into different situations at different companies at a really high rate. I was able to sample a lot of the opportunities available in physical security and networking security that way, and that’s what’s really missing in recruitment for this field. People just don’t know the huge variety of roles that are available from social engineering to forensics to risk assessment.  Q. After you got a taste of all the different opportunities available, did you take any more steps to prepare yourself for the roles you were most interested in? I went on to get my CISSP which was a huge launching point for me. I know it’s just a test, but the studying that I did on the way to that really rounded out my knowledge and was a really strong signal to future employers that I had real experience under my belt and knew what I was talking about. This also gave me some confidence.  For a young person – or anyone really – who wants to launch into a professional career in cybersecurity, certifications like that are a good place to start, especially because it’s hard to jump from 50% system implementation or another aspect of IT all the way to 100% cybersecurity without taking a little bit of a step down and back. That’s something people are reticent to do. But, by doing that – by taking on a role with slightly less responsibility than I was used to, but that was a 100% security job – I was more prepared for the industry and got recruited just nine months later into what has turned into my current job. I was their first “security person” and was able to build a security program from scratch. Q. Having really run the gamut of IT and cybersecurity roles, has gender bias been an issue for you? I’ve almost always been the only woman within the teams I work in. Currently, out of about ten Information Security Officers, I’m the only one. It continues to be the trend but, more often than not, people completely disregard my gender. As long as people don’t talk about it, I don’t really feel it. When I was in my 20’s, it was more daunting. The combination of being young and a woman made me feel it more acutely, especially because I didn’t have a mentor.  You know, most men I work with that are at a certain level credit their success to a mentor. I feel like I’d be years ahead if I’d had one. That’s why I say “yes” every time there’s a Women in Cybersecurity function, a mentorship program, a local event, anything. I always say yes. My dental hygienist asked if I would mentor her daughter because she’s interested in security and, of course, I said yes. It’s so important!  You don’t have to be an activist to get involved and help someone.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, Funding Circle and more. #TheFutureIsCyber
A Brief History of Data Loss Prevention Solutions
Thursday, January 9th, 2020
For many organizations, Data Loss Prevention (DLP) is at once one of the most important components of their security framework and the biggest headache for administrators. Why? Because most risks to data security actually come from within an organization, which means security teams have to classify and monitor data across hundreds – even thousands – of different entry and exit points of a corporate network. This includes user devices like laptops and mobile devices, email clients, servers, and gateways within the network. While every vendor offers a slightly different functionality – and can solve for data loss on email, endpoints, or networks – the goal of DLP software is essentially the same: to minimize the risk of data leaving the organization. To understand the agility and efficiency of some modern solutions, it’s important to understand not only the history of DLP but the history of email. This is, after all, where employees now spend 40% of their time. How has email changed over the years? Today, most of us have at least one email address. It’s the main form of communication both in the workplace and with consumer-facing brands. While a decade or two ago, we might have used traditional mail, picked up the phone, or even met in person to share information, now we freely send sensitive data and information like bank account details, medical records, and confidential trade secrets via email every day. And, the fact is, most of us don’t consider the security of these exchanges. But, with the exchange of sensitive information comes potential risks. As such, there’s an urgent need to keep email – and therefore data – safe and secure. Back in the 1990s, when email started to take off, there was little-to-no email security. It soon became apparent that some kind of filtering system was necessary. This way, people could not only limit the volume of emails they received, but they could ensure that whatever landed in their inbox was relevant. While this filtered out spam broadly, we remain exposed to targeted email threats like phishing or spear phishing attacks. Internet Service Providers (ISPs), Secure Email Gateways (SEGs), and anti-virus software took filtering a step further, using pattern and keyword recognition to identify potentially threatening emails, but it’s still not enough. In fact, the number of phishing attacks continues to rise and 2019 saw the highest number in three years. Of course, this isn’t the only problem with email. As we mentioned, there are also data risks within an organization. Data could be lost through a simple mistake, for example sending a misdirected email. Or, there could be more nefarious intent, like a disgruntled employee leaving the company on bad terms and taking valuable information with them. So, how do you solve all of these problems? There are two schools of thought: one is data-centric and the other is human-centric. Data vs. human behavior When you consider the objective of DLP, you realize there are two distinct approaches to take. Data-centric approach: Rule-based solutions use the content of an email to perform analysis. These rules consider keywords, attachments, seniority level, and even the role or department of an employee to identify sensitive information and keep it within the organization. Human-centric approach: Instead of focusing only on the data, human-centric approaches like those offered by Tessian seek to understand complex and ever-evolving human relationships in order to protect sensitive information. While both approaches have their merits, there are some clear shortcomings to a data-centric approach.
That means that the more effective solution is one that’s adaptable and can discern the variations in human behavior over time. A solution like this relies on machine-intelligent software that learns from historical email data to determine what is and isn’t anomalous in real-time. Learn more about human-centric DLP Tessian Guardian and Tessian Enforcer are advanced DLP solutions that leverage machine learning to offer superior data protection in real-time.
DLP, Human Layer Security, Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
Wednesday, January 1st, 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Spear Phishing
Whaling Email Attacks: Examples & Prevention Strategies
Thursday, December 12th, 2019
95% of all attacks on enterprise networks are the result of successful spear phishing. But spear phishing can take many forms. One form is whaling, and it’s on the rise.
What is the difference between a spear phishing and whaling attack? A whaling attack is a type of spear phishing attack targeted specifically at an executive like the CEO or CFO. Spear phishing is an advanced phishing attack directed at a specific individual or company, not necessarily an executive. Whaling attacks are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both humans and email defenses to catch. It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Whaling attacks target high ranking executives; they don’t necessarily impersonate them. CEO fraud (or CxO fraud) is a type of spear phishing attack where attackers impersonate a CxO or other senior leader.
Why are whaling attacks successful? Whaling attacks can be easy to pull off. Attackers don’t need much capital, special equipment or a particularly advanced skillset. They often just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. CxOs are incredibly busy and under a tremendous amount of pressure. They most certainly have access to significant amounts of sensitive information, and likely have their attention divided across many parts of the business. Working at a fast pace, on-the-go or outside work hours can lead to CxO’s to make critical mistakes on email and easily be duped into thinking a whaling email is legitimate. What’s more, CxO’s might be less likely to attend security awareness training due to their busy schedules. More and more companies are investing in training, but busy executives could prioritize educating the staff over themselves, which keeps the business at risk. After all, one employee misstep can have serious consequences for an organization. And CxO’s have a target on their backs due to the amount of sensitive company information that they hold. How can a successful whaling attack hurt a company? The motivation behind whaling attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences of whaling attacks: Financial loss: Of course, a principal objective is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. Austrian aircraft parts manufacturer FACC AG lost €50 million when their CEO fell victim to a whaling attack and wired the money to what he thought was a trusted source. When second-order financial penalties like fines are taken into account too, whaling attacks can prove extremely damaging to organizations’ balance sheets. Data breach: Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. What’s more, data breaches are expensive to manage; the average cost of a breach is $3.86 million. Fines: It’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183 million after a 2018 data breach. Reputational damage: It’s harder to quantify on a balance sheet, but after a whaling-induced data breach, hard-won brand reputation could be put at serious risk. An email security failure can negatively affect an organization’s relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. How can your organization protect against a whaling attack? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound email threats, like whaling, SEGs commonly rely on the following— Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focus on past known attacks as well as basic email characteristics (e.g. domain authentication). These approaches rely on emails that contain blacklisted domains or IP addresses as well as they block bulk emails. These fail to prevent advanced impersonation, which is low-volume and often contains domain and IP addresses that have never been seen before. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc) but attackers have learned to evade these rules. While SEGs can block malware and bulk phishing attacks, rule-based solutions struggle to stop advanced impersonation attacks and to detect external impersonations, common in whaling attacks. External impersonation is the impersonation of someone who belongs to a different organization than the target such as a supplier or vendor. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Tessian Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyzes historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Tessian Defender can detect and prevent threats in real time with minimal end-user disruption.
Spear Phishing
What is Spear Phishing? Defending Against Targeted Email Attacks
Sunday, December 8th, 2019
With legacy tools trapping more scatter-gun approaches to stealing data and money from organizations, spear phishing has become increasingly popular amongst the cybercriminal community. Part of the appeal is that it is extremely difficult to detect.
What is spear phishing?
What is the difference between phishing and spear phishing? On the face of it, phishing and spear phishing attacks may seem similar, however there are many differences. Phishing emails are sent in bulk and are relatively easy to execute by those with nefarious intent. Phishing attempts are generally after things like credit card data or login credentials and are usually a one-and-done attack. On the other hand, spear phishing is significantly lower in volume and much more targeted. A spear phishing attack is usually targeted at a specific individual within the organization and is highly personalized. What makes a spear phishing attack so effective is that it’s more difficult to spot that the email is malicious as it often convincingly impersonates a trusted source known to the target. Spear phishing is an attack that isn’t as difficult to pull off as you might assume. The research required for an effective attack isn’t much of a barrier either due to the abundance of data that is available online. It is no exaggeration to say that spear phishing is the number one security threat facing businesses today. While every spear phishing attack is unique by its very nature, we will discuss some of the characteristics that can be seen in a spear phishing attack: the target, the intent, impersonation and the payload.
The target Spear phishing attacks often target staff with access to financial resources, critical internal systems, or sensitive information. Spear phishing attacks commonly target specific employees or groups that have access to money, sensitive systems or important people within the organization. In addition to selecting their target by the department, attackers will also select a target by their job title. New hires are also a frequent target for attackers as they tend to be a bit more eager to please their superiors than colleagues who have been employed for some time. There is an abundance of valuable data available online for criminals to exploit to identify the best targets, from LinkedIn career updates to new employee details on company websites. Finally, new hires tend to have a lack of understanding about what normal email communication looks like within the company, meaning they have less knowledge of how internal email address should look and less insight into who the organization usually communicates with. Once they have identified their target, the attacker can easily undertake further research to find out who the target regularly communicates with. Here, social media sites such as Facebook and Twitter can provide valuable information about roles, responsibilities and professional relationship structures within an organization. With this information, the attacker can create a credible narrative and personalize the email they send. This makes the victim far more likely to fall for impersonation.
The intent The intent of the spear phishing email usually falls within three specific areas. Extract sensitive information Install malware onto the network Wire money to accounts that belong to the attackers Criminals are on the hunt for sensitive information, like login credentials, medical records or bank codes, because any information – regardless of its type – has a value on the dark web. To get this data, attackers can use different tactics. They may try to deploy malware in the form of ransomware or keyloggers in order to invoke widespread havoc. Or attackers may use spyware, which is designed to sit, undetected, in the background and mine valuable data. Alternatively, attackers can take a more direct approach: request a wire transfer in a well-crafted email impersonating a familiar colleague, supplier or customer.  Attackers can also build relationships with their victims long before making any requests for money or information. Or, they may send a very simple, casual email — “are you in the office?” — which can easily initiate an email exchange. Only after that do they strike with a follow up email include requests for the target to wire money, send confidential information, or click on a payload. Generally, the email will contain deliberate language to establish context and intent within both the subject header and body copy, to create a feeling of urgency that helps trick the target.
The impersonation There is always an element of impersonation in a spear phishing attack. Whether it is impersonating an authoritative figure within the organization (for example a CEO or CFO), someone external (such as from a trusted supplier or valued client), or a business unlikely to cause suspicion (such as Microsoft or PayPal). The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. Furthermore, the very fact that modern organizations generally deal with so many counterparties offers limitless possibilities to impersonate vendors or suppliers (external impersonations), making them very hard to detect. Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone.
Domain impersonations are another popular technique, in which attackers spoof or impersonate an organization’s domain in order to appear legitimate. They look to circumvent security filters by impersonating recognized, trusted domains whether at the root (i.e. [email protected]), top-level (i.e. [email protected]) or subdomain (i.e. [email protected]). Such complex domain manipulations are very hard for both humans and rule-based security solutions to detect. For instance, a commonly used rule is to calculate the number of different characters between 2 domains: “If the difference is smaller than 2, block the email.” Attackers have learned to use a complex domain manipulation to evade such a rule.
The payload A payload is a malicious link or attachment contained in an email. Examples of payloads include: attachments that deploy malware or ransomware when opened; or embedded links that drive to fake login sites that farm credentials. It is important to note that not all spear phishing emails contain a payload. Historically, attackers have leveraged payloads in phishing attacks. Because of this, certain email security solutions have been developed in order to detect them. These solutions analyze and sandbox attachments, inspect links as well as look at the website that the links are pointing to in order to see if they’re malicious. As these security solutions become more popular, attackers have learned to execute attacks without links or attachments and instead are utilizing coercive language and social engineering to ask the target to share confidential data or wire money.
Why is spear phishing still a problem today? Today, employees are the most important data processors in any company. The reality is that just one employee misstep can have serious consequences for an organization. With the information they manage to obtain, fraudsters can reveal commercially sensitive information and steal large amounts of money from organizations. Employees likely receive more security awareness training than in the past, but their workloads have become greater and more complex. They are busier than ever and expected to maintain the same pace of delivery. Because of this, people can make mistakes and be deceived. No amount of training will change this. While training is well intentioned, it simply isn’t enough to prevent increasingly sophisticated spear phishing attacks. Companies can’t rely on people spotting every attack. While SEGs can block malware and bulk phishing attacks, they cannot stop spear phishing emails that don’t include a payload. Email is the main communication channel for enterprises today, however the openness of email makes it easy for attackers to exploit. Data continues to be lost and systems continue to be compromised via email, with spear phishing increasingly being the attack vector of choice. Recent headline-grabbing attacks include: volunteers for Hillary Clinton’s presidential campaign were targeted as part of one attack; City officials in Ocala, Florida were tricked into sending over $742K to what they thought was a construction company; Australia National University was targeted by a spear phishing email that led to attackers silently monitoring the university’s activity as well as stealing the credentials of staff and students.
How can machine learning help stop spear phishing attacks? The common root of all spear phishing attacks is impersonation—an attacker is pretending to be someone the target trusts. Companies therefore need to identify impersonations on email in order to protect their users, and importantly, their data and systems. But detecting impersonation is not easy. To do so, you need to understand human relationships and human behavior. Machine learning (ML) is the perfect tool to do this. By learning from historical email data, Tessian’s ML algorithms can understand a company’s users relationships and the context behind each email. This allows them to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones. To learn more about how Tessian Defender prevents spear phishing attacks for organizations like Arm, talk to an expert today.  
Tessian Attends New Statesman’s Cybersecurity in Financial Services Conference
Tuesday, December 3rd, 2019
Last week, the Tessian team was delighted to attend New Statesman’s second annual Cyber Security in Financial Services conference hosted in London. New Statesman is a leading British political and cultural publication that was founded/started in 1913. The conference was attended by security executives from leading financial institutions. Attendees shared their experiences and best practices on how to secure the industry throughout a series of keynote speeches, panel discussions and networking sessions. Topics included digital transformation, open banking and threat intelligence. Tessian’s Head of EMEA and APAC, Abhirukt Sapru joined GlobalData’s Ed Thomas on a panel to discuss the risks and opportunities of smart machines, artificial intelligence, and IoT in finance. Chaired by New Statesman’s Managing Editor, Will Dunn, the conversation started off by looking at the current threat landscape within the industry and examining the weak points that continue to make financial institutions vulnerable. The panel discussed that many organizations continue to use security solutions with pre-programmed rules, which are limited in their ability to detect and prevent evolving threats. Abhirukt went on to address the prevailing problem within the industry: people. “The threat landscape is more about the person than the machine.” He continued by talking about how humans are bound to make mistakes and break the rules, both accidentally and maliciously. Abhirukt recounted the regrettable time during his days as a banker when he misdirected an email containing sensitive data to the wrong person. He went on to say that organizations can invest a lot of money into security solutions, but if they don’t account for the human factor, then one mistake can cause substantial damage. Ed also added that from his experience that “issues with security really start with people and processes.” The discussion continued to the topic of awareness and education. Both Abhirukt and Ed agreed that if education and cybersecurity awareness isn’t adopted at the top, then it is highly unlikely that it will trickle down throughout an organization. This aligned with one of the key themes of the conference: cybersecurity needs to be a board issue. The discussion concluded with a Q&A session where questions focused on what financial institutions can do to discover the best solutions to invest in. The key takeaway? When it comes to securing data, financial institutions will continue to be at risk unless they get proactive with their security strategy. To learn more about how Tessian is helping financial institutions like Evercore, speak to an expert today.
Customer Stories
Ensuring Data Security under GDPR
Monday, December 2nd, 2019
Coastal Housing Group is a not-for-profit social housing provider specializing in community residential properties. The business predominantly operates in South Wales, United Kingdom. In addition to residential properties, Coastal Housing has a robust commercial portfolio that focuses on mixed-use town center regeneration projects. Coastal Housing is protecting 250 employees with Tessian Defender and Tessian Guardian.
Protecting a bustling business Coastal Housing has provided housing opportunities to communities across South Wales since 2008. Mark Elias is Coastal Housing’s IT Infrastructure Manager. He understands how important data security is in the housing sector.  Coastal Housing handles and processes a considerable amount of sensitive information and utilizes multiple, complementary technologies to help keep this information protected. While the organization goes to great lengths to provide staff with the reassurance that they are conscientious about security, the IT team recognized that they could do more. With a growing mobile workforce and data regularly exiting the organization’s directly controlled network, the IT team wanted to see how machine learning could fortify their security stack. Tessian’s offering was exactly what Coastal Housing was looking for.
Staying vigilant under GDPR Tessian integrated seamlessly into Coastal Housing’s layered infrastructure. Tessian was up and running in a short period of time and was very easy for the IT team to understand. Having implemented Tessian Guardian, Coastal Housing can now prevent accidental data loss from misdirected emails, mitigating the impact of human error and helping IT teams control an unwieldy problem. Coastal Housing’s IT team deployed Tessian and educated employees about how the product works quietly in the background. With a low false positive rate, Coastal Housing’s employees liked the fact that when a warning did appear, it provided context on what had happened. Guardian accurately flags mistakes without disrupting their day-to-day workflow. Coastal Housing employees now feel assured that they won’t accidentally send sensitive information to the wrong destinations. In addition to the problem of accidental data loss, Coastal Housing’s IT team are acutely aware of how sophisticated spear phishing attacks are becoming. While employees are being as vigilant as they can be, it’s unrealistic to assume they will be able to spot a threat 100% of the time. Armed with Tessian Defender, Coastal Housing has secured their system from inbound spear phishing threats, protecting the organization from data being pilfered and systems being compromised.
Maintaining security while growing Coastal Housing understands that for security to be effective it cannot be static. As threats evolve, so must the technology designed to protect against them. Being a bustling business, Coastal Housing will continue to adapt and to respond to the ever-changing landscape. The organization will continue to focus on investing in platforms that are capable of doing the same.
Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.