Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Tessian Named Representative Vendor in the 2022 Gartner® Market Guide for Data Loss Prevention. Download →

guide icon

Tessian Blog

See All Posts
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Hayley Bly From Nielsen
By Maddie Rosenthal
Monday, March 9th, 2020
Hayley Bly is a Cybersecurity Architect at Nielsen, where she’s worked since graduating from the University of Miami with a Bachelor’s Degree in Computer Science almost four years ago. Since starting her career, she’s championed the industry by going back to her alma mater for recruiting events to raise awareness about cybersecurity and has participated in events in collaboration with Women in Technology International (WITI). She’s also found time to further her education and is currently working towards her Master’s of Science in Cybersecurity.
Q. Describe your role as a Cybersecurity Architect in 300 characters or less I build tools that our incident response team uses. This could be implementing a vendor tool or building something from scratch. We do both, and this includes designing how the tools are made, implemented and deployed throughout the larger company.   Q. Since your educational background seems so focused, have you always been motivated to pursue a career in cybersecurity? My parents both worked in banking software so I’ve always been around it. They both really pushed me to explore a career in the field but – you know how it is – I fought it. I never wanted to pursue it just because they told me to do so; I wanted to decide my own path. That’s why I actually applied to college as Pre-med. But, my senior year of high school, there were no other electives to pick so I chose the computer programming class and, of course, fell in love with it. Once I was accepted into the Pre-med program at the University of Miami, I threw them for a loop and asked if I could change my focus to Computer Science and never looked back.  Q. How did you transition from more general Computer Science to cybersecurity specifically? I thought I was going to be a software developer up until I started at Nielsen straight out of college. Since then, I’ve really found my home in cybersecurity.  The team I work with and my managers are absolutely incredible. They have had something to do with every single career decision I’ve made thus far, because the work others do really inspires me. Especially when I first started, their work opened my eyes to how much I didn’t know and what really goes on behind the scenes in a company.   When you’re working in cybersecurity, you’re not just writing code all day. You’re actually dealing with real-world problems and it’s up to you to prevent, detect, and respond to incidents by finding or creating solutions. Q. What do you think would inspire more young women to enter into the field? I think just bringing more awareness to the fact that you can really create your own success. I was let in the door without any real cybersecurity skills or experience and was given the opportunity to prove myself, and I have. It’s a jump-in-and-figure-it-out-as-you-go type of field and people shouldn’t be afraid to do that. Cybersecurity isn’t about who you are or what degree you have. It’s about what you can do, what problems you can solve, and how well you can work with other people to get the job done. You don’t have to play politics because your work speaks for itself. I love that. Q. Do you have any recommendations for resources or groups that might be a good first-step for anyone interested? Meetup.com is a great way to connect with local people who are interested in the same things you are and, speaking specifically about cybersecurity events, people can pique their interest and learn, but in no-pressure situations. And that’s really important. I think sometimes when you’re first starting out at something it’s easy to feel self-conscious or nervous about really getting involved, and these events can give newcomers a chance to try something they haven’t before without any fear of being wrong or feeling out of place.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Hillary Benson From StackRox
By Maddie Rosenthal
Sunday, March 8th, 2020
Hillary Benson is the Director, Product at StackRox and has an incredible background in government and military intelligence. She holds two degrees, including a Bachelor’s Degree in Management Science with a focus in Finance from Massachusetts Institute of Technology and a Master’s Degree in Security Studies with a focus in Terrorism and Substate Violence from the Georgetown University Walsh School of Foreign Service. Additionally, she is a Master’s candidate in Computer Science at The Johns Hopkins University. But, her experience isn’t limited to her education. She started her cybersecurity career at the National Security Agency, where she spent almost six years as an intelligence analyst, technical collector, and product leader. She moved into the private sector as a red team operator and has shifted gears in the last three years to focus on building product at a leading container security company called StackRox.
Q. Describe your role as a Director, Product in 300 characters or less My job is to distill business opportunity into a technical vision and development roadmap for our flagship security product, the StackRox Kubernetes Security Platform. We’re building a product that enables security practitioners to rethink their approach to security by leveraging container technology. Q. Your background – both educational and professional – seems very focused. Have you always aspired to have a career in this industry? From a very young age I had an interest in technology, security, the military and intelligence. I can certainly tie all the threads from those interests to where I’ve ended up, but I wouldn’t have been able to predict that my path would look the way it does.  I generally attribute that to the fact that the most interesting opportunities are usually the most difficult to predict, and I am constantly searching for the next interesting problem to solve. My approach to life can lead me down very unexpected rabbit holes. Q. What professional experiences have guided your career path the most? Certainly NSA had a huge impact on my career direction. I landed there by luck, really, after shotgunning online job applications. I applied on the right day, they picked up my resume, and before I had even graduated I was in the clearance process.  I joined as an Intelligence Analyst and participated in a program that allowed me to rotate through a number of offices within NSA to get experience in different disciplines. I gravitated toward technical analysis and collection. That track led me to Tailored Access Operations and stoked my interest in offensive security. The rest is history. Looking back on my career up to this point, many of the contributions I’m most proud of took place during my time with NSA. At certain times, I had an extreme sort of impact that you can’t replicate in the commercial world. From a business perspective, though, I’ve learned more in the last two years than I ever hoped for and am extremely proud of the product that my team has built at StackRox. Q. Since you’ve sampled a lot of different disciplines within cybersecurity, do you think people tend to have a narrow view of the industry and the jobs available in it? People hear “cybersecurity” and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.  A lot of what you do as a security professional involves bridging gaps between security teams and the development and operations teams. So much of the job is convincing people that the security risks you find are worth fixing. You can’t do that if you only have technical skills; you have to be able to talk to people and to influence them. Q. Do you need certifications or a degree to get those skills? Actually, of all the things to get into without formal education or training, there seem to be a lot of people who either cross-train from other fields or enter security without any formal education. Which is pretty awesome, I think. It’s not uncommon to hear someone say something like “Oh, I studied psychology, then took a year off and painted, and now I’m a penetration tester”.  There are many people in security who gained the knowledge and landed a job without a formal degree. A lot of the folks I’ve worked with were independent and curious problem-solvers—I think not in small part because a lot of them fought their way into their role by proving their competence in the field. You don’t necessarily have to take the traditional route and get a four-year degree. If that works for you, great. But if you’re looking to switch careers or you’re confident in your specific passion for the security industry, there are other ways to get the requisite technical skills.  The OSCP is a great training ground for aspiring penetration testers who want to nail down the basics. Joining a bug bounty platform like HackerOne or Bugcrowd is an excellent way to get hands-on experience with finding bugs in the real world. And almost nothing beats learning to code—what better way to understand how security issues materialize when building software but to try to build it for yourself? This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Integrated Cloud Email Security
Insights from Tessian Human Layer Security Summit | London 2020
Thursday, March 5th, 2020
On March 5, 2020, Tessian hosted the world’s first Human Layer Security Summit where we brought together speakers from Prudential, Lloyd’s of London, Herbert Smith Freehills, Clifford Chance, HFW and Tradecraft to talk about security culture, the Human Element, and the evolving threat landscape. We had hundreds of people join us in-person in London and from around the world via livestream. In case you missed it, you can watch a recording of the event here:  While the focus of the Summit centered around Human Layer Security and why we need to protect people (not just networks and devices), the speakers and panelists offered a diverse range of insights into the challenges cybersecurity professionals are up against and, importantly, how they try to solve them.
It takes a village to secure an organization’s data, devices, and networks Accountability is required company-wide in order to make policies, procedures, and tech solutions effective. That’s why those in cybersecurity leadership positions are laser-focused on finding new ways to engage with employees through gamification, interactive content, podcasts, and more.
According to Timor Ahmad from Lloyd’s of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance, employees are, fortunately, becoming less passive in their roles as they relate to cybersecurity.  As the Human Element continues to be one of the biggest risk factors in data breaches, individuals have to do their part to supplement their cybersecurity stack. This is especially important because, by empowering your employees, you’re taking the burden not only off them, but off of your information security team. For smaller teams, this is vital. For more insights from the panel discussion, click here. Cybersecurity frameworks and strategies can’t be static There’s a lot that goes into creating an effective cybersecurity framework and strategy. They take months – even years – to create and implement. But, they have to constantly evolve in tandem with both external and internal factors. Privacy laws, regulations, compliance standards, company size, board members, budgets, individual employees – even the Coronavirus! – all effect and should, therefore, influence strategies. It’s a minefield, but unless all these things are considered and constantly re-evaluated, organizations will put themselves at risk.  It takes a cybersecurity strategy that’s customized, and re-customized, to keep networks and devices secure and to empower and enable employees to make smart security-related decisions. Breaking in is easier than defending While spam, phishing scams, and more targeted attacks like spear phishing are relatively easy for attackers to pull off, spotting these nefarious emails is hard…even with training. Interestingly, though, according to Glyn Wintle, an ethical hacker and penetration tester, employees tend to be incredibly confident in their ability to spot phishing emails, with just 3% of people saying they have a low probability of falling for a phishing scam.
Unfortunately, confidence doesn’t equate to actual ability, especially when hackers combine bulk email lists, technical acumen, and social engineering.  By abusing trust, piquing curiosity, and/or creating a sense of urgency, hackers can get whatever it is they’re after – from log-in credentials to a bank transfer – from at least one person out of the tens, hundreds, or thousands they’ve emailed. Interested in learning more about cybersecurity from a hacker’s perspective? Click here. There are some fundamental problems with cybersecurity awareness training Mark Logdson sees three problems with cybersecurity awareness training: it’s often irrelevant to the audience or user, it’s generally quite boring, and it’s expensive in terms of investment and lost productivity during the training itself.  Mark said it best, “We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect “Johnny” to be grateful for having spent that time in the training and to have been thoroughly entertained.” You also hope he’s learned something. This likely sounds familiar to both cybersecurity professionals who implement awareness training programs and the employees who take part in – or should we say endure – quarterly or annual training sessions. Of course, Mark isn’t suggesting that organizations do away with cybersecurity awareness training; he’s simply saying it needs to be more tailored to the risk areas in each individual organization in order to be most effective. You can read more about Mark’s approach here.
Cybersecurity isn’t just a support function, it’s an enablement function While cybersecurity has historically been a very siloed department within organizations, it’s becoming not only more integrated into overall businesses, but it’s also becoming an enablement function. In short, board members and employees across departments see the value in information security. In fact, more and more, representatives from cybersecurity teams are being called on to promote a business’s value proposition through its security. It makes sense, though, especially for organizations that handle large amounts of external data for clients or customers. In this case, security becomes a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  The insights offered at our first-ever Human Layer Security Summit were invaluable, not only for cybersecurity professionals, but also for employees and consumers. We’ll be announcing the next Human Layer Security Summit soon, so be sure to subscribe to our newsletter for the latest industry and company updates.   #HumanLayerSecuritySummit20
Read Blog Post
Integrated Cloud Email Security
RSA Recap: The Human Element is More Than a Buzzword
By Maddie Rosenthal
Wednesday, March 4th, 2020
Last week, Tessian was at RSA 2020 in San Francisco. While this was only my fourth month at Tessian, this was my ninth year at the annual cybersecurity conference, which I’ve previously attended on behalf of Mimecast, Proofpoint, and Cofense when I was part of their respective teams.  Last year the agenda was very much focused on automation, machine learning (ML), and artificial intelligence (AI), but this year, the theme was much more…human. More specifically, it was the Human Element. What is The Human Element? This theme, of course, resonates with all of us here at Tessian. After all, it’s why we’ve created Human Layer Security.  Humans and our propensity to break the rules, make mistakes, and get hacked are the foundation for everything we do at Tessian. We believe humans are an organization’s biggest asset, so long as they are empowered to make smart security-related decisions.  But, how do you actually enable and empower people to make those smart security-related decisions? How do you actually protect the Human Element?  While Tessian is clear and confident that stateful machine learning is the most effective way to protect the Human Layer, it seemed like a lot of other vendors relied on strong messaging alone to align with this year’s RSA theme and didn’t necessarily have the technology or functionality to back that messaging up. The Human Element Applies to Both Inbound and Outbound Threats If you look at cybersecurity historically, solutions have been focused on protecting networks, endpoints, and devices. You know, machines. But phishing isn’t a machine or technology-related problem. It’s a human problem. Sure, we can use spam filters or Secure Email Gateways (SEGs) to mitigate the risk, but it’s inevitably people that are both behind the attacks and the last line of defense. What about awareness training and phishing simulations? While this type of solution may have a positive effect in the short-term, the immediate gains wane over time as people forget the training and revert back to old behaviors. Tessian even published a report examining this problem. Phishing is – and has been – a hot topic and the inbound space is crowded with vendors that claim to protect organizations from this type of attack. But, the Human Element isn’t limited to inbound threats. It’s just as – if not more – relevant to outbound threats. Misdirected emails, insider threats, accidental data loss…these are all human problems that not only rely on people being aware of security policies and best practice, but also rely on people doing the right thing 100% of the time. This is a tall order when they are in control of more sensitive data and systems than ever before. Unfortunately, to err is human. And that – in a nutshell – is the problem. Humans will make mistakes. Humans will break the rules. Humans will get tricked or hacked. Visibility is Key Fundamentally, CISOs and other IT decision-makers understand this, but they may not have always understood exactly how big of a problem the issue of human error is. And, in my experience, visibility of the scope of the problem is the lifeblood to any cybersecurity strategy or framework.  Vendors know this, which is why we see so much messaging focused on fear-mongering; messaging focused on the size and scale of the problem with alarming stats that seem to only be trending upwards. We’ve been guilty of this in the past, too. But CISOs are tired. They want strong solutions, not strong messaging.
Strong Messaging Doesn’t Solve Cybersecurity Challenges It’s safe to say – especially given this year’s theme – that today, the cybersecurity industry and professionals within the industry have started to wise up to the problem of human error beyond phishing. In particular, they understand the challenges and consequences associated with accidental data loss and data exfiltration, and are beginning to have visibility of the scope of these problems, too. But they have very few solutions. While a lot of vendors shouted about the Human Element this year, their product offering hasn’t changed since last year, when they were shouting about AI, ML, and automation.  SEGs and other cybersecurity solutions don’t suddenly empower employees to inspect and identify threats with 100% accuracy just because their messaging is now more people-focused than it has been historically. Actually solving problems related to the Human Element takes innovation and disruptive technology that challenge widely-accepted – albeit ineffective – approaches that have previously been classed as best practice. A new tagline isn’t enough. The Future of People-Focused Cybersecurity Solutions Cybersecurity is a broad, expansive industry that seeks to solve an incredible range of problems. There are firewalls, web applications, password managers, sandboxes, and simple spam filters and new start-ups are cropping up nearly every single day claiming to solve for one or more of these problems. Why? Because the industry is one of the most important today given the digital landscape and is incredibly valuable because of that. In fact, the global cybersecurity market has grown 30x in the last 13 years and the industry received record venture capital investment in 2019.  But, growth is only good if we as an industry look at the problems we’re solving holistically. If we collectively recognize the Human Element is a challenge we’re up against, the next generation of cybersecurity solutions have to take a new approach to protecting human-digital interactions. Tessian is doing just that by creating Human Layer Security, a new category in the industry. We protect people on email from both inbound and outbound threats with stateful machine learning.  It’s not just messaging, it’s our genuine product offering.  Interested in how Tessian’s Human Layer Security platform can protect your data by protecting your Human Element? Book a demo now.
Read Blog Post
Integrated Cloud Email Security
To protect people, we need a different type of machine learning
By Ed Bishop
Saturday, February 29th, 2020
Despite thousands of cybersecurity products, data breaches are at an all-time high. The reason? For decades, businesses have focused on securing the machine layer — layering defenses on top of their networks, devices, and finally cloud applications. But these measures haven’t solved the biggest security problem — an organization’s own people. Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex. This is why “stateful machine learning” models are critical to security stacks. The people problem
The problem is that people make mistakes, break the rules, and are easily hacked. When faced with overwhelming workloads, constant distractions, and schedules that have us running from meeting to meeting, we rarely have cybersecurity top of mind. And things we were taught in cybersecurity training go out the window in moments of stress. But one mistake could result in someone sharing sensitive data with the wrong person or falling victim to a phishing attack. Securing the human layer is particularly challenging because no two humans are the same. We all communicate differently — and with natural language, not static machine protocols. What’s more, our relationships and behaviors change over time. We make new connections or take on projects. These complexities make solving human-layer security problems substantially more difficult than addressing those at the machine layer — we simply cannot codify human behavior with “if-this-then-that” logic. The time factor We can use machine learning to identify normal patterns and signals, allowing us to detect anomalies when they arise in real time. The technology has allowed businesses to detect attacks at the machine layer more quickly and accurately than ever before. One example of this is detecting when malware has been deployed by malicious actors to attack company networks and systems. By inputting a sequence of bytes from a computer program into a machine learning model, it is possible to predict whether there is enough commonality with previously seen malware attacks — while successfully ignoring any obfuscation techniques used by the attacker. Like many other threat detection problem areas at the machine layer, this application of machine learning is arguably “standard” because of the nature of malware: A malware program will always be malware. Human behavior, however, changes over time. So solving the threat of data breaches caused by human error requires stateful machine learning.  Consider the example of trying to detect and prevent data loss caused by an employee accidentally sending an email to the wrong person. That may seem like a harmless mistake, but misdirected emails were the leading cause of online data breaches reported to regulators in 2019. All it takes is a clumsy mistake, like adding the wrong person to an email chain, for data to be leaked. And it happens more often than you might think. In organizations with over 10,000 workers, employees collectively send around 130 emails a week to the wrong person. That’s over 7,000 data breaches a year. For example, an employee named Jane sends an email to her client Eva with the subject “Project Update.” To accurately predict whether this email is intended for Eva or is being sent by mistake, we need to understand — at that exact moment in time — the nature of Jane’s relationship with Eva. What do they typically discuss, and how do they normally communicate? We also need to understand Jane’s other email relationships to see if there is a more appropriate intended recipient for this email. We essentially need an understanding of all of Jane’s historical email relationships up until that moment. Now let’s say Jane and Eva were working on a project that concluded six months ago. Jane recently started working on another project with a different client, Evan. She’s just hit send on an email accidentally addressed to Eva, which will result in sharing confidential information with Eva instead of Evan. Six months ago, our stateful model might have predicted that a “Project Update” email to Eva looked normal. But now it would treat the email as anomalous and predict that the correct and intended recipient is Evan. Understanding “state,” or the exact moment in time, is absolutely critical.
Why stateful machine learning? With a “standard” machine learning problem, you can input raw data directly into the model, like a sequence of bytes in the malware example, and it can generate its own features and make a prediction. As previously mentioned, this application of machine learning is invaluable in helping businesses quickly and accurately detect threats at the machine layer, like malicious programs or fraudulent activity. However, the most sophisticated and dangerous threats occur at the human layer when people use digital interfaces, like email. To predict whether an employee is about to leak sensitive data or determine whether they’ve received a message from a suspicious sender, for example, we can’t simply give that raw email data to the model. It wouldn’t understand the state or context within the individual’s email history.
People are unpredictable and error prone, and training and policies won’t change that simple fact. As employees continue to control and share more sensitive company data, businesses need a more robust, people-centric approach to cybersecurity. They need advanced technologies that understand how individuals’ relationships and behaviors change over time in order to effectively detect and prevent threats caused by human error. *This article is part of a VentureBeat special issue. Read the full series here: AI and Security.
Read Blog Post
ATO/BEC, Integrated Cloud Email Security
Tim Sadler on Hacking Humans Podcast: Episode 87 “The Art of Cheating”
Friday, February 28th, 2020
Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why email is so risky and inboxes remain dangerous territory. Listen to Hacking Humans Episode 87 “The Art Of Cheating.” Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He is from a company called Tessian. And we discuss the human element of cybersecurity, along with some details on some phishing schemes. Here’s my conversation with Tim Sadler. Tim Sadler: I think, for a long time, when we’ve spoken about securing people, we’ve always defaulted to training and awareness rather than thinking about how we can use technology to take the burden of security away from people. So I think there’s a challenge at the moment in that humans are unpredictable. They break the rules. They make mistakes. And they’re easily tricked. And that’s what’s leading to so many data breaches today that are ultimately caused by people and human error. Dave Bittner: And so the bad guys, knowing this, have adjusted their tactics. Tim Sadler: I think that’s right. I mean, if you think about email for an organization, it is an open gateway. So it is one of the only pieces of infrastructure an organization has where anybody can send anything into an organization without pre-approval. And I think that’s one of the reasons why we’re seeing such a high level of threat around phishing, spear-phishing, business email compromise, those kinds of attacks. It is the – really, the entry point for every attacker that wants to get into an organization today, and it’s so effortless to execute one of these scams. Dave Bittner: So what kind of things are you tracking? What are some of the specific campaigns that are popular these days? Tim Sadler: So I think, you know, we see everything from the well-known trends like the fact that, you know, it’s tax season and the W-9 form scam – so attackers putting malicious attachments in emails trying to get people to open them because, you know, it’s tax season, and that’s something that everybody is watching out for. And then some of the more interesting things that we’re seeing specifically are around attackers scraping LinkedIn data to automate attacks based on people moving jobs. So a new joiner to an organization will – you know, is – may have a higher propensity to be duped by a phishing scam. They won’t know the protocol that an organization has in place. So we’re seeing a lot of attacks that come through when people are new to an organization. It’s maybe in their first or second week, and then they’ll receive a spear-phishing email pretending to be the CFO or pretending to be the CEO, trying to dupe them into doing something and, again, use those techniques of deception and urgency on emails. Dave Bittner: Now, what about some of the more targeted campaigns – you know, things like spear-phishing, even – you hear it referred to sometimes as whaling, where they’re targeting high-level people within organizations?
Tim Sadler: And actually, you can – for attackers, it is fairly scalable to do this. You can build a LinkedIn scraper. You can be pulling names. And you can be automating the purchase of domains that look like legitimate domains but, in fact, aren’t. And then you can automate the sending of those emails into organizations. And, you know, the rewards from doing this kind of thing can be enormous for attackers. So I read about that charity in the U.K. this morning who fell victim to a spear-phishing scam where they lost almost a million dollars over three transactions. So it is a huge, huge payoff for these attackers when they actually – you know, they get their target to do the thing they want them to. Dave Bittner: What are your recommendations for organizations to best protect themselves? Tim Sadler:  So I think, you know, it does start with awareness. You have to make sure that employees are aware that their inbox is dangerous. And they need to pause, if only for five seconds, just with every email they get and do some basic checks. So check, who is this email from? Does the domain look legitimate? Tim Sadler: But really, what is extremely difficult is, for most organizations today, their entire security strategy is reliant on their employees doing the right thing 100% of the time. So if you are only relying on security training and awareness, there are going to be things that creep through. There are going to be attacks that are successful. And in the same way that organizations use advanced technology to secure their networks and secure their devices, we believe that organizations today need to be using advanced technology to secure their people. Dave Bittner: Well, how does that technology play out? What sort of things are you describing here? Tim Sadler: In order to secure people – so again, we come back to this point that people are unpredictable. They break the rules. They make mistakes, and they’re easily hacked. A system needs to understand the normal patterns of behavior that a person exhibits on email in order to understand what looks like a security threat and what looks like a normal email. So what organizations can do is they can use a platform – like Tessian, for example – that uses machine learning to analyze historical email patterns and behaviors to understand, on every incoming email, does this email look legitimate or not? And that’s something that we’ve pioneered and we use and is much more effective than some of the traditional approaches, which use rules or policies to control the flow of inbound email. Dave Bittner: You know, it reminds me of a story that a colleague of mine shared with some friends who work for a nonprofit. And they got an email from the chief financial officer, who had just gone on vacation, and it said, I know; I realize I’m out of town, but I need you all to transfer this large sum of money, and I need it done immediately; you know, please don’t let me down. And to a person, they all said, this is the last thing in the world this person would ever say or do. And that tipped them off to the problem. It sounds like – I mean, that’s a similar thing to how you’re coming at this from a technological point of view or looking – making sure that the behavior isn’t anomalous. Tim Sadler: Yeah, that’s exactly right. We use machine learning in the way that it’s been applied to other fields – for example, credit card fraud detection. You look at their normal spending patterns and behaviors on card transactions, and then you use that intelligence to then spot the fraudulent transactions. And that’s what we’re doing. We’re looking at normal email behavior in order to spot the fraudulent email behavior. And in the same way that you would try and train a person to look out for the unusual aspects of an email that may give a clue as to whether it’s a phishing email or not, you can train a machine-learning algorithm to do the same. Tim Sadler: Now, the difference and the advantage to doing this is that a machine-learning algorithm can traverse millions and millions and millions of data points in a split second, whereas a human is only going to have a limited number of data points that they can remember or they can go back to in their mind. Dave Bittner: Where do you suppose we’re headed with this? As you look towards the future and this problem with email continues to be an issue, do you suppose the types of things that you’re offering here are going to become just a standard part of doing business? Tim Sadler: I think it’s critical that organizations today realize that their security strategy cannot be reliant on training people to do the right thing 100% of the time. And again, it comes back to – at the beginning of my career, I was working for one of the world’s largest banks and saw a massive problem, and that is that banks spend millions of dollars on securing their networks and devices using advanced technology, but they completely neglect the security of their people. So instead, they’re relying on training them to do the right thing 100% of the time. And that, obviously, doesn’t work. Tim Sadler: I saw people who would send highly sensitive information to completely the wrong person. They would email documents to their personal email account, or they would fall for phishing scams. So we thought this was a huge problem that needed solving, and that’s why we built the product that we’re building today – because we believe that in the same way you have a firewall for your network and you have an EDR platform for your devices, we believe you need a human-layer security platform to protect your people. Dave Bittner: All right. Interesting stuff. Joe? Joe Carrigan: Yeah. A couple things stick out to me. One, your inbox is dangerous, and Tim does a really good job of describing why that is. He calls it an open gateway because anyone – literally anyone – can use your inbox.
Read Blog Post
Customer Stories
Mitigating the Risk of Data Exfiltration in a Regulated Industry
Wednesday, February 19th, 2020
McMillan Williams Solicitors (MW) is a British consumer high street law firm. It is a top 10 conveyancing law firm, operating across the south of England with a mission to provide accessible, affordable, inclusive, innovative and personal legal services. MW Solicitors is protecting 450 employees with Tessian Guardian  and Tessian Enforcer.
Making security a priority MW Solicitors provides legal advice to clients across the UK. Chief Information Officer David Fazakerley is responsible for ensuring that the firm’s IT infrastructure is efficient and fit for purpose. With over 1,000 new clients every month, protecting client data is a top priority.  Due to the high volume of clients, MW Solicitors’ attorneys must be efficient when tending to client needs. David notes that because of the pace of work, “mistakes can easily happen on email, especially due to features like autocomplete, which can lead to an email being accidentally sent to the wrong person.” David identified misdirected and unauthorized emails as two key problems that could compromise the firm’s data security.  What’s more, from a compliance point of view, data loss and exfiltration can cause significant issues for law firms, resulting in many hours spent on incident management and potentially having to file a report to the ICO. Seeking a solution that would ensure that their sensitive data remains secured, MW Solicitors turned to Tessian.
Efficiently mitigating the risk of data loss Tessian’s ability to easily integrate into MW Solicitors’ layered security system without having an impact on the infrastructure was a key benefit for the firm’s Risk and Compliance team. Tessian produced positive results shortly after deployment.  MW Solicitors deployed Tessian Guardian to prevent accidental data loss due to misdirected emails. One of the most common mistakes that can lead to a misdirected email is an employee inputting the wrong client email into a case management system. “This can be as simple as putting in hotmail.com instead of hotmail.co.uk,” notes Charlotte Mays, Compliance and Data Protection Manager. This is a problem because case management systems are unable to recognize such mistakes. Tessian Guardian can prevent emails from being sent to an incorrect address saved in the case management system. It does this by analyzing the firm’s historical email data in order to understand sending patterns and relationships between contacts. By learning what the “normal” or correct email address is from previous communications, Tessian Guardian can automatically identify the abnormal email address and notify the user that the incorrect recipient has been included in the email.  MW Solicitors also deployed Tessian Enforcer to prevent data exfiltration by email to personal or non-business domains. Tessian Enforcer understands the difference between authorized and unauthorized accounts by looking at emails that each employee has sent and received in the past in order to identify non-business contacts. If an employee sends an email to an unauthorized account, Charlotte and her team are now able to easily detect this. This has been “a huge improvement, as before it might have been difficult to even identify the employee in the first place,” notes Charlotte. MW Solicitors’ Risk and Compliance team are now able to review the Tessian dashboard to see in real time if data has been sent to unsafe destinations. 
Building a culture of transparency David aims to build a culture of transparency when it comes to data security. If all employees have an understanding of the security solutions in place, David believes that this will improve employee awareness and accountability. As MW Solicitors continues to grow, highlighting the importance of data security will be vital.  Human error is a constant, but if employees are armed with the right tools to prevent mistakes from occurring in the first place, then damage can be minimized or avoided altogether.  Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions within the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Read Blog Post
Customer Stories
Strengthening Security in Biotechnology
Tuesday, February 11th, 2020
Gubra is a Danish biotechnology company that was founded in 2008. Gubra focuses on preclinical contract research services and drug discovery programs within the metabolic space. The organization has established itself across the globe as a highly professional and competent partner within academia, biotechnology and the pharmaceutical industry. Gubra is protecting 160 employees with Tessian Defender and Tessian Guardian.
Taking security seriously Gubra is a Danish preclinical contract research organization that specializes in model building and drug testing for a variety of metabolic diseases. Chief Technology Officer Morten Høgholm Pedersen oversees IT development, implementation and operations. With many of the globe’s largest pharmaceutical companies as customers, ensuring that Gubra’s IT systems remain secure is a top priority. Many of Gubra’s clients are very sensitive to data security due to the nature of the biotechnology industry. Therefore, it is imperative that their information remains safeguarded within the organization. “We share data via password protected fileshare solutions. So even though sensitive data would not be compromised, misdirected emails that employees could accidentally send would still seem unprofessional and undermine our reputation,” says Morten. Additionally, with the rise in spear phishing attacks, Gubra also needed a solution that would better protect the organization from inbound threats on email. Gubra turned to Tessian.
Upholding credibility through secured systems Tessian was successfully implemented into Gubra’s security stack. Administered by Gubra’s IT team and overseen by Morten, Tessian gives Gubra transparency into their email security. Gubra is now protected from accidental data loss due to misdirected emails with the implementation of Tessian Guardian. For Gubra, the most powerful feature is Tessian Guardian’s ability to automatically identify an abnormal email address and notify users in real time that the potentially wrong recipient has been included. “The pop-up warning that tells people they could be sending an email to the wrong person has had a learning effect on the organization,” notes Morten. For Gubra, Tessian Guardian has led employees to become even more cautious. Many spear phishing attempts try to lure employees into paying fake invoices; and attackers are convincingly impersonating familiar parties. For Morten, the biggest concern for the organization is maintaining data security and credibility. Tessian Defender automatically prevents advanced impersonation-based spear phishing attacks by using stateful machine learning models to analyze historical email data and understand relationship context. Tessian Defender can detect impersonation from both internal and external parties and is helping Gubra defend itself from inbound threats.
Staying vigilant in a changing environment Human error is inevitable, and people will make mistakes on email, but they can be mitigated if the right tools are in place. For Morten, “it should be a standard for all companies to have a high degree of protection using the most advanced tools available against phishing attempts and misdirected emails.” With attackers getting more sophisticated with their tactics, it will be important for organizations to stay proactive with their security strategy. Gubra can now ensure that their clients’ sensitive data remains secured.
Learn more about how Tessian prevents human error on email Tessian is building the world’s first Human Layer Security platform to automatically secure all human-digital interactions in the enterprise. Today, our filters use stateful machine learning to protect people using email and to prevent threats like spear phishing, accidental data loss, data exfiltration and other non-compliant email activity. To book a demo and learn more about how we can help your organization, click here.
Read Blog Post
Email DLP
How Does Data Loss Prevention for Email Work?
Sunday, February 9th, 2020
Data Loss Prevention is a vital part of security frameworks across industries, from Healthcare and Legal to Real Estate and Financial Services. There are dozens of different DLP solutions on the market, each of which secures data differently depending on the perimeter it is protecting. There are three main types of DLP, including: Network DLP Endpoint DLP Email DLP While we’ve covered the topic of email DLP broadly in this Complete Overview of DLP on Email, we think it’s important for individuals and larger organizations to fully understand what the proper application of email DLP can offer and, with that, why it’s so important to know which email DLP system to implement. How can DLP for email protect an organization? Importantly, there are two types of threats DLP must account for: Accidental Data Loss: To err is human. For example, an employee might fat finger an email and send it to the wrong person. While unintentional, this mistake could and has led to a costly data breach. DLP solutions need to be able to flag the email as misdirected before it’s sent, either by warning the individual or automatically quarantining or blocking it. Malicious Exfiltration: Whether it’s a bad leaver or someone hoping to sell trade secrets, some employees do, unfortunately, have malicious intent. DLP solutions need to be able to identify data exfiltration attempts over email before they happen in order to prevent breaches. An introduction to rule-based DLP On a basic level, the bulk of DLP solutions operate via rule-based policies, using if-then statements to lock down data after it’s been classified. For example, if you want to ensure your HR department doesn’t share personally identifiable information (PII) like employees’ social security numbers, you could create a rule on email: “If an outbound email to a party outside of the organization contains the word ‘social security number’, then block. it.” You could also create a more broad rule. For example, if you wanted to prevent accidental data loss of company information, you might forbid employees to send emails to their personal email accounts. To enforce this, you might block all emails from an official company account to freemail accounts like  @gmail.com, @yahoo.com, or @hotmail.com. Of course, these rules need to be set up separately for each organization where a DLP system is implemented. Various factors can influence these rules, including the type of data being protected, workflows, and existing policies, procedures, and tools. This will help you recognize potential “borders” that sensitive data shouldn’t cross. The limitations of rule-based DLP Unfortunately, DLP – especially rule-based DLP – can be a blunt instrument.
Rules simply don’t reflect the limitless nuances of human behavior. A better approach to DLP While IT and security teams could work tirelessly to properly deploy and maintain rule-based DLP solutions to detect potential threats and limit the exposure of sensitive data, there’s a better, smarter way. Human Layer Security. Instead of rules, Tessian’s DLP solutions use contextual machine learning models to understand the context of human behavior and communications. Trained on historical emails and real-time correspondence, machine-intelligent software can recognize what looks suspicious; similar to what a human cybersecurity expert could do. However, unlike humans, it can do this thousands of times per second without missing key information or getting tired. Which email DLP solution is right for my organization? As we’ve mentioned, each organization has different needs when it comes to DLP. Some might need more network protection while others need to lock down email. In either case, it’s important to consider the budget, ease of deployment, and internal resources alongside the biggest threat vectors for data loss. If your biggest concern is data exfiltration and you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Enforcer may be right for you. If your biggest concern is accidental data loss and – again – you’re looking for a solution that’s easy and quick to deploy and that doesn’t require heavy maintenance from an administrator, Tessian Guardian might be for you.
Read Blog Post
Integrated Cloud Email Security
Tessian Human Layer Security Summit: Meet the Speakers
Friday, February 7th, 2020
On March 5, Tessian will host the first Human Layer Security Summit in London. We’ll be welcoming 10 speakers with diverse backgrounds to the stage as we take a deep dive into what exactly people-centric security means. On the day, attendees can expect thought-provoking presentations by leaders from renowned institutions, a panel discussion about Human Layer Security featuring some of Tessian’s customers, and an analysis of emerging social engineering threats from an ethical hacker.
Keynote Speakers Mark Logsdon, Head of Governance and Assurance Prudential Mark – who has held senior security positions at top-tier financial service companies for over a decade – will be highlighting the challenges and opportunities associated with creating and maintaining a positive security culture within an organization. Attendees can expect a multi-faceted presentation that covers how cybersecurity can and should enable business objectives, the value in creating a proactive security environment, and the importance of collaboration across departments for cybersecurity advocacy. Tanja Podinic, Assistant General Counsel  Dentons Working at the intersection of tech and legal, Tanja is in a unique position to highlight the implications the digital transformation has had on risk for businesses. She’s particularly interested in how innovations in technology can help mitigate the risks around people. Now, with Dentons having implemented Tessian’s solutions – Tessian Guardian and Tessian Enforcer – she’ll also be joining the panel session to discuss how machine learning has helped her organization prevent misdirected emails and data exfiltration on email. Read more about how Tessian has helped Dentons protect their data here.
Panel Session Timor Ahmad, Head of Data Governance & Privacy Lloyd’s of London Timor – who believes data should be treated as an organization’s core asset – has years of experience managing data protection, privacy, and quality. With a special interest in business enablement, Timor has seen how Human Layer Security can give businesses across industries a competitive edge. Jamie Travis, Head of Information Security Herbert Smith Freehills With a great deal of experience in leading large-scale security improvement projects, Jamie has a strong interest in understanding how risk management and human behavior go hand-in-hand. This requires that he not only create strong security policies, but also that he fosters strong internal and external relationships. He now uses Tessian to mitigate risk associated with human error and people-centric security is a key focus for 2020. Mark Parr, Global Director of Information Technology HFW After a 27-year military career delivering command and control networks and communications and information systems, Mark moved into the financial sector to focus on people operations within cybersecurity. Currently heading up Information Technology at a global law firm, he’s using his expertise in Risk Management and Information Assurance alongside Tessian to navigate challenges associated with human error. Ethical Hacker Glyn Wintle, CEO & Founder  Tradecraft  Having started his career as a penetration tester, Glyn has incredible, hands-on experience in helping organizations defend themselves against ever-evolving threats. He’ll detail how hackers combine psychology and technical know-how to create highly targeted (and highly effective) phishing attacks and other forms of social engineering. Join us at Tessian Human Layer Security Summit Over the next several weeks, we’ll be releasing even more information about Human Layer Security Summit and the speakers who will be attending. Follow us on LinkedIn to be the first to get these updates. If you haven’t yet saved your seat to join those who are putting people-centric security at the top of their agenda, do so now! Spaces are filling up quickly.
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Swati Lay From Funding Circle
By Maddie Rosenthal
Thursday, February 6th, 2020
Swati Lay, who has more than 20 years’ experience in software development and information security, is the Chief Technology Officer (CTO) at Funding Circle, a peer-to-peer lending marketplace that allows the public to lend money directly to small and medium-sized businesses. Her interest in cybersecurity was piqued at 16-years-old with a course on Number Theory and Cryptography and, having earned her Bachelor’s Degree in Electrical Engineering and Operations Management from Princeton University, Swati started her career at Merrill Lynch in New York as a software developer.  Since then, she’s held leadership positions both at scale in larger enterprises and in higher growth environments, including retail banking at Barclays Bank and gaming, where she was the Director of Information Security at Betfair, what was then a FTSE 250 gaming operator.
Q. Describe your role as a CTO in 300 characters or less. I’m responsible for all of Funding Circle’s technology capabilities globally. Q. You’ve been apart of the larger cybersecurity industry for over 20 years. How did you get involved initially? My first real introduction to cybersecurity was a Number Theory and Cryptography course I took when I was 16-years-old. While I was so fascinated by the subject, I remember thinking that I wasn’t the strongest from a math- perspective and that, because of that, I just wouldn’t be able to get a job in this industry. Fast forward several years later, I’ve graduated from Princeton University, am working at AT&T as a Systems Engineer, and I started to realize that there are actual applications of cryptography in the business world. Importantly for me, its application in the business world is more focussed on implementation rather than the math behind it, so I was able to really get my head around it.  A colleague of mine at AT&T moved to Merrill Lynch to an Information Security team and asked me if I’d be interested in coming along. The rest is history! For me, it really was fulfilling a childhood dream. Q. Why did you initially write off the industry as an option for you? It just seemed so far out of reach. I didn’t understand what skills were required, in part because cybersecurity really wasn’t its own, standalone industry yet.  What’s even more sad, though, is that’s still the case for many people today.  Despite the industry being more defined than it ever has been, there’s still a lot that needs to be demystified to really get people interested and involved. Q. If you were discouraged based on preconceived notions about the industry, what skills and interests can you point to that are actually necessary to thrive in a cybersecurity role? I think people view cybersecurity as a black art. But, it’s really not that obscure! There’s an incredible range of opportunities available, and not all of them require technical skills.  Yes, when you consider more general engineering, technical skills are paramount. But when you think about management roles, you need communication, collaboration, vision, etc.  Then, you look at cybersecurity more broadly. What you really need is the ability to communicate risk in a way that enables decision-makers to do their job.  People don’t always understand the work you’re doing or why it’s important, and that can make you second-guess yourself. That’s why we need people who are willing to do some really deep problem solving, people who are willing to dive into deep issues and not be afraid to have a contrary point of view.  You have to be smart. You have to be disruptive. That’s why it’s so important that we diversify the population of people working in cybersecurity. We need to round out our teams and encourage more than just technical skills. If we don’t, the implications will be quite severe, especially because we’re not just protecting financial institutions and governments anymore. Companies across industries – small, medium, and large – have seen the value in building out cybersecurity functions.  Q. Does your senior role enable you to empower more people to explore the opportunities available in cybersecurity? I think every person in senior leadership in cybersecurity wants to empower more people to explore these opportunities that are available. A big piece of that is role models. You have to see it to be it!  I remember when I was 12-years-old,  someone mentioned an Ivy League school to me and I thought “I’ll never be able to do that!” It wasn’t until I saw people who had the same background and upbringing as me going to these schools that I finally thought I could do it, too. That’s why now – especially because I’ve been so fortunate throughout my career and have had so many incredible opportunities – I want to show the next generation that they can have those same experiences.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, KPMG, Nielsen and more. #TheFutureIsCyber
Read Blog Post
Cyber Skills Gap
Opportunity in Cybersecurity: Q&A With Amy Johnson From Herbert Smith Freehills
By Maddie Rosenthal
Tuesday, February 4th, 2020
Amy Johnson is the Information Security Manager at Herbert Smith Freehills, an international law firm with headquarters in both London and Australia. She’s worked in cybersecurity for over six years and started her career as a Lead Investigator at Freshfields Bruckhaus Deringer. Before entering the cybersecurity industry, she worked in Human Resources. While she doesn’t have a formal education that’s focused on cybersecurity, she’s earned five certifications to-date, including her Certification in Information Security Management Principles (CISMP), Certified Information Security Manager (CISM), Certified Data Protection Officer (CDPO), ISO 27001 Implementer, and Certified Information Systems Auditor (CISA).   Next, she’ll aim to earn her Certified Information Systems Security Professional (CISSP) qualification.
Q. Describe your roles as a Security Manager in 300 characters or less. I monitor system user behavior and I review client security requirements and questionnaires. I’m very much forward-facing and part of my job is to guide the firm and our people on how to work with information and technology in a safe and secure way. Q. How did you get started in this industry?  I don’t have a background in cybersecurity. I actually studied HR and worked in that industry for years. About two years into working at Freshfields Bruckhaus Deringer, Mark Walmsley, who was the CISO at the time and still is, started creating a new group called the Information Security Group (ISG).   At that point, I was ready for a career change. I wanted to do something that wasn’t just exciting every day, but different every day. The idea of protecting people, investigating threats, and creating training materials about the evolving risks in information and cybersecurity really, really interested me.  I decided to go for it and got the job! I was the Lead Investigator there for about five years. Since then, I’ve earned different certifications and have really catapulted myself into a more senior position that I’m in now at Herbert Smith Freehills. Q. Did your previous experience help prepare you for your first role in cybersecurity? Monitoring/ investigating systems can be a sensitive subject which means you have to be hyper-aware of data privacy laws, etc. That’s something I was able to bring to the table because of my previous experience.  But, to really be successful in a cybersecurity role, you have to be familiar with not just the current threats, but the new and evolving technologies. You have to stay on top of that. I didn’t get that exposure until I started. I also didn’t have any technical skills when I started. I learned on the job, which – to me – is far better than going to study.  Cybersecurity is really about putting what you know into practice. Q. Do you have any thoughts on why women only make up a quarter of the cybersecurity workforce? A lot of women in tech might not see cybersecurity as a suitable career path because it is considered quite a masculine profession. That’s probably ingrained at a very young age. It’s important to not be discouraged by that, though. Bear in mind, I came from a HR background; that’s a field where you’ll often work in a team that’s all women. Moving into this industry, I’ve often been the only woman within the teams I’m working in. But, that doesn’t mean I don’t feel like I belong. I don’t find men that intimidating!  Women can be just as successful in this industry and opportunity, recognition, and progression are absolutely available to those who work hard. Q. In terms of progression, do you feel like a career path to a more senior position is clear?  To be very honest, I’m already very proud of how far I’ve come in the last 10 years. When I first moved to London, I was making significantly less than I’m making now. I’ve consistently worked my way up the ladder since then. I’d still really like to learn and grow more within this industry and I certainly have dreams of being a CISO or a head of a department eventually. But, the opportunity for growth can really depend on how big your department is. Cybersecurity is still growing, and not all organizations have large teams which means you may not necessarily see what your next step will look like or what skills you need to develop to take that next step. It can be hard. But, the skills you get at any one organization are really transferable. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Read Blog Post
Page