Email Security — SolarWinds TechPod 012

Stream on:
Email security. Do a Google search and you'll find it's one of the biggest concerns facing businesses today. Join Ashley Bono, SolarWinds MSP Product Marketing Manager, and N-able Mail Assure product team members Dreas von Donselaar and Mia Thompson as they discuss the evolution and weaponization of email spam...and the tools you can use to keep the bad actors out of your inbox. Related Links  

Episode Transcript

Announcer: On this episode of Tech Talks, SolarWinds Product Marketing Manager Ashley Bono…

Ashley: “…How much can a data breach cost a company?”

Announcer: …speaks to SolarWinds Mail Assure Product Manager Dreas von Donselaar…

Dreas: “…I wish I could tell you email security is the only thing you need…”

Announcer: …and Mail Assure Product Marketing Manager Mia Thompson…

Mia: “…email is the lifeblood of any business these days…”

Announcer: …about the evolution and weaponization of email spam…and the tools you can use to keep the bad actors out of your inbox.

Ashley: Hello and welcome to another edition of Tech Talks. My name is Ashley Bono. If you do a Google search on email security, you’ll find page after page, article after article about how email security is one of the biggest, if not the top concern facing businesses today. To talk about those various threats and about our solution for email security here at SolarWinds are our resident email security experts. I’d like to welcome Dreas von Donselaar, the product manager for Mail Assure and former CTO of SpamExperts. I’d also like to welcome Mia Thompson. She is a product marketing manager for Mail Assure. You guys, welcome. Thank you so much for being here.

Dreas: Thanks. Great to be here today.

Ashley: Yep. Thank you! Mia, thank you so much, too.

Mia: Thanks so much, Ashley.

Ashley: So to get us started I’d like to sort of level set and kind of talk about the different types of email security threats that different companies experience. So do you think you guys could just name some of the different threats and kind of explain what they are?

Dreas: Yeah, absolutely. Email’s interesting. We started filtering email about 13 years ago and back then Bill Gates actually predicted that email spam would stop within a few years. I guess, good for us it didn’t. As a business for the IT industry, of course it’s not good at all. But email remains an important tech factor. There’s so much email in general that people are sending around, so it’s easy for spammers to try and squeeze their stuff into there. And if you zoom in on different email types of spam or attack factors–like the classical spam is really bulk emailing, trying to sell you products. That Viagra spam that everybody would know about. What they do is they send a few million of those emails and there will be a group of people that are insecure and happen not to be female in that group that will actually order that product and pay for it, right? So by doing these huge numbers, these huge volumes of email, they will always hit somebody that is like, “Hey, I was just thinking about Viagra. Great! I can buy it now.” Phishing is really more about a single line with a hook that that’s thrown out. The word phishing refers much more to trying to cheat somebody into an action. For example, pretending you’re a bank and trying to have somebody enter the real bank credentials on your fake website. So spear-phishing is a new form of spam. What happened was that security products were getting better and more and more people were starting to use security or at least basic anti-spam security products. It was getting effectively more and more expensive for spammers to get their customers to buy from them. And with spear-phishing it’s a very, very targeted attack. So a malicious person, let’s keep referring to them as a spammer, will look somebody specific up and try and really cheat that single person into a certain action. So it’s very, very focused, very, very targeted–as if you take a spear and choose your fish to catch him.

Ashley: So other names that I’ve seen sort of thrown out there are whaling, or a business email compromise, clone-phishing, snowshoeing. There are all sorts of different things, whether it’s pretending to be the CEO or using multiple domains and IP addresses. There’s literally dozens, if not hundreds of ways spammers can wriggle their way into a company’s private network and get to their files.

Dreas: Yeah, and it’s interesting. Especially if you look at all these names–it’s something we noticed often as an email security company–is that there’s a few email security vendors and everybody tries to name everything. Especially if you’re looking at the marketing department. So as a CTO it’s always interesting to hear all these different terminologies.

Ashley: For what’s really the same thing, right?

Dreas: Yeah, it is…and it’s not. I mean, if you look at email specifically, it’s a very old protocol, and what I’m meaning with that is that the technology is quite outdated. The fact that it can be used for spam nobody ever thought about. So there’s millions of ways to to abuse the protocol, to try and get your message through and out to people and all the things you just mentioned. The end goal for these spammers is to make money. And there’s different ways that they can do that. So selling the product is one thing, but what people should be much more concerned about is of course getting the infrastructure–getting their computers–infected, potentially, and abused. Zooming further in on that specifically: I mean, these are criminals, right? So they’re just trying to make money and making money can be done in many different ways. So what you see recently for example is with bitcoin becoming very, very popular is that they try and install a bitcoin miner on your computer, which means that, without you knowing, your computer is just mining bitcoins. And that’s annoying because it’s taking up all your computer resources, but that’s not really the worst. Like, it really gets worse if they start stealing your private email, if they start pretending to be your company for a phishing attack to another company, for example. Like with email, you can choose your own name that you send email from and you can choose your own email address that you send the email from, and there’s no real check. So if you set up your email client that you put in your name and email address, you can put in ‘Bill Gates’ and ‘Microsoft,’ or you can put my name there. You send an email and the recipient may or may not receive it depending on their security product. And if they receive it, the only way for them to figure out it’s not you is after they actually send you a response and they are suddenly getting a reply from someone else or they’re noticing that the email address that they’re replying to is slightly different. So it’s kind of incredible if you look at how few issues there are related to security if you look at how simple it is to abuse email to get through to computers and to trick people into taking action.

Ashley: I found a really interesting statistic. This is according to IBM: 95% of all security incidents involve human error. So you could argue that you could give all of the training you want, all of the seminars you want to your employees, but there’s still a pretty decent chance that some spammer’s going to be really good at cloning somebody important and tricking an employee.

Mia: Yeah. And we definitely see a rise in that. So employees need to be super alert on a daily basis. So what we do internally as a company, we normally test employees frequently. So we have a guy in the office and he would send out a phishing email to these employees–a fake one–and test them just to make sure everyone is super alert and continuously educated on the problem. There’s definitely all sorts of ways for them to get in. And of course that’s why people have an additional layer of security. That’s why they have email security.

Dreas: It’s good you bring that up, obviously, and I think that’s where, on the one hand, it’s very important that you have a security layer at all. I mean, I would love of course for everybody to use our product, but we need to protect your email. That’s not a choice anymore nowadays. But on the education part, what we see in our product is we would quarantine, for example, phishing attacks and malware attacks and spam attacks, but we actually, in the behavior of the user, see that they’re trying to release those messages, believing that it’s really from their bank and we would have not blocked it if it wasn’t an attack factor and we have extra protection in place as well to try and show to you just like, “Wait, what are you doing here? That’s maybe not what you want to do because your bank is probably not located in Vietnam,” for example. So there is the whole education part and the security part, and they do go hand in hand because you can do as much on security as you want, but the human factor is very important in basically bypassing or your technical security solutions. And there’s really a mix of actions that you need to protect yourself.

Ashley: So tell me a little bit about Mail Assure.

Mia: It’s a cloud-based solution that provides threat protection for incoming and outgoing emails. We have in-house developed technology updated with input from billions of emails per day. So it continuously updates our threat database. So the spam filtering solution acts as a protective layer through which all incoming and outgoing email is passed, ensuring protection, against spam, viruses, malware or ransomware, IP blacklisting, and basically all email-borne threats. And then for long-term storage we also have email archiving for regulatory and compliance reasons. In a nutshell, that’s what Mail Assure is.

Ashley: So before we recorded you said something really interesting: that to be fully spam-free, you need technology and data. Could you expand on that a little bit?

Mia: Yeah. So to say that to be spam-free you need technology and data is basically black and white simplification. Mail Assure’s technology has been developed in-house and uses some of the most sophisticated malware detection, antivirus and antispam technology. So why is the in-house technology important? It is relevant because it’s in this way we can modify anything in our technology stack, so it gives us control over the technology. We can modify anything at any point in time and we definitely cut out the risk of a black box situation where we don’t have one hundred percent control of what’s happening. And I think Dreas can elaborate a bit more on the technology itself because he’s the man behind it.

Dreas: Absolutely. So maybe zooming back 13 years ago when we started, we only had some technology that we developed, and we quickly learned that getting information about spam is very easy because there’s just so much around and nobody cares about that information. But the real trick is not so much detecting the spam messages; it’s much more about detecting what’s the legitimate message. Because even percentage-wise there’s less legitimate mail than there is spam or malware email. So building technologies is quite easy, I would want to say as an engineer, however, the data that you need to power those technologies to find out what’s a good and what’s a bad email, that’s where it becomes a little more challenging. What we managed to do by analyzing all the traffic going through all our servers that we manage worldwide is to collect a load of data and making sure we can identify who are the spammers and which mails are malicious and which ones are not. And that’s really key on having a good security product. And if you look at the industry a bit broader, there’s only a few companies that are really about building their own data and building their own technology. A lot of the companies license data and modules from each other, which is not necessarily a problem, but the big issue is that if there is a problem, if you do wrongly block something or if there’s a new threat, then you’re of course depending on a third party to supply that data. Whilst, because we manage all the infrastructure and all the technology ourselves, we can instantaneously react if there is an actual new outbreak, for example, or make a correction if there is some legit email type of mail flow that looks like a recent outbreak, for example, or looks like a recent spam run. And it’s continuously changing. Spammers adopt that technologies, obviously, because the security vendors are getting better and better and better. So it’s kind of a cat and mouse game every now and then where the more data you have, the more powerful you become because it’s impossible pretty much for the spammer to hide. Because if they send a, let’s say, a spam run in Brazil, we would pick up on that from our Brazilian customer base and therefore we cover the globe with what you can call kind of detection pulses. We can refer to our infrastructure so when they try and abuse, or cause abuse for one of our clients, we can use the data, use that information instantaneously because our technology can pick up on that. So it’s a very interesting dynamic between technology and data that you use to stay ahead of the spammer and make sure you can block them before they can cause abuse.

Ashley: So it can be difficult to get meaningful data to empower the technology. What are the challenges to collecting the data?

Dreas: So a lot of providers would, for example, provide a software only. We really provide a cloud-based solution, which means that we’re speaking directly with the spammers. So we manage the infrastructure that is processing the email and that is communicating with the spammers. And in doing so, we can learn a lot more than what you can see, for example, than if you just received message content, because we can see the speed at which they’re talking to our servers, we can measure strange behavior, strange types of responses, and in the end what you’re trying to do is you’re trying to get as many data points as possible. Also, knowing that in the end the spammer is probably trying to make money somehow so they’re trying to have you click a URL so we can track URL reputation, they may try and promote a phone number so we could track the phone number if it’s a malicious email. But the point being that, because we have direct interaction if it’s, for example, from a botnet, we know already that it’s going to be 100 percent spam. We know there’s never ever been a legit message from that IP and hence we know we can get more data from that message to ensure that if it pops up somewhere else, we know it’s probably part of that same network at that moment and that’s how you continuously reinforce the different filters, the different technologies. Basically learning from each other if you can pick up all the data and making sure that, “Hey, this is really spam, so what else can I learn from it?”

Ashley: So when it sounds like when you talk about using all of these different means of collecting data to create multiple data points, it sounds like statistics is really the key to monitoring changing dynamics.

Dreas: Yeah, absolutely. It is really all about statistics, in the end, and having as many data points as possible. We continuously track the statistical performance of each of our classifiers and what we see is that sometimes they–because the landscape changes in the way email behaves–sometimes a classifier can perform slightly less a few years later and we also statistically balance that out again.

Ashley: Absolutely. So it can be really difficult for any company, big or small, to sort of get their head around where they’re vulnerable and what their security package should look like and assessing their security as a whole. Emily Mossberg of Deloitte (this is from CSL, she says an accurate picture of cyberattacks, cyberattack impact has been lacking and therefore companies are developing the risk posture s that they need. It’s not exactly something that companies are going to swap stories on. It’s not exactly something that they’re going to compare notes on. So the best companies can really do is add a layer of security, whatever that email security tool looks like.

Dreas: Yeah. I wish I could tell you email security is the only thing you need. Email has been blamed, or been taken into consideration, in some of the recent outbreaks where email really didn’t play a role. So everybody’s zoomed in on email, which again is good, of course, for us and I mean there’s no denying you need an email security product. If you don’t, then within minutes you will be flooded with information you don’t want to see, but it’s very important to realize that email is not the only way that people can get through to your company. We already discussed shortly before on the human factor being a risk. Somebody can simply phone an employee in your company and try and pretend to be somebody to get data. Very similar to an email phishing attack. There’s many different attack vectors and email is like an open door. So that means that you need to protect it. There’s a lot more less obvious ways that people can get in that you need to secure as well. So having endpoint security is very, very important as well, meaning that you have an antivirus on your computer and not to just rely on the email security that’s in front of it simply because there’s other ways that people can get through to your computer.

Ashley: So it also sounds like it’s really important for whatever spectrum of tools you use, that you have visibility and control over your, in this case, email flow.

Dreas: So security is scary, right? Because if you secure something it means that the big order you’ve been waiting for a might also not come through because it’s wrongly blocked, as an example. So whenever you start having automation to secure any of your doors you want to make sure it works well and I think that’s where control becomes key. I fully understand that somebody’s scared if they apply a security product and don’t have clear visibility on what happens in that security layer and what we try and do with Mail Assure is to also provide that insight into what’s happening. And there’s many different ways that we try and do that. Obviously, any connection that’s made to our servers, we make accessible to our customers. We have everything designed in such a way that the data will show records specifically for the customer and that they can access and retrieve that. But similarly, we can send daily reports or hourly reports if people really want that. But we do get that request quite a lot. Just because they, they don’t initially trust the system and they want to get more comfortable over time by seeing that it’s really blocking the right things and letting the good things through. So with any security product it’s very important that you have control and also that you’re able to overrule certain classifiers. So we have full flexibility in basically allowing the customer to overrule as I would want to say anything they liked. Though we try and recommend people not overrule anything because as soon as you try and disable some filter, it means that that’s another attack vectors that you’re open for the spammers, but at the same time I understand you want to have control, so that’s all included in the product as well.

Ashley: So, Dreas, you were saying a few minutes ago, that it’s not just email. There’s so many different ways criminals can try and hack your internal network and steal your or your company’s or your employees’ information. So, Mia, can you talk to me a little bit about email continuity and archiving and the importance of both of those things, and how Mail Assure helps give companies peace of mind?

Mia: Yeah, sure. So with Mail Assure we have 24/7 email continuity. So in this way customers would benefit from uninterrupted business productivity. During such episodes, as you just mentioned, email continuity allows users to actually log into the web interface. They can continue to read emails, receive emails, complete their sends, so they can continue with their business activities and focus on that. So that’s just one part, that’s the email continuity part. Then, when we go over to email archiving, email archiving is obviously a backup. So we take a copy of every incoming and outgoing email message that’s received, we encrypt it, we compress it, and then we store it in our cloud-based archive. And that obviously ensures that people always have a backup of their messages for e-discovery purposes. But then also for regulatory and compliance reasons.

Ashley: For some of the folks that are listening, they may be from smaller companies or they may be asking themselves how much is security going to cost me? How much can a data breach cost a company?

Dreas: That’s very good question. If you run a small business and all your data’s out there for anyone to see, it’s quite easy for you to estimate what the impact will be on your business for that. And I think there’s a few variations. So what happens a lot is, for example, they would install malware on your computer. They would encrypt all your data, protect it with a password, and you only get it back if you pay a few bitcoin to the anonymous spammer or hacker to get access to your own data. And this is quite easy to protect against from an email perspective because these viruses are not typically distributed via email, which means that our antivirus technology and our anti-spam technology is actually really good at picking up on those threats, but if you look at the large recent outbreaks like WannaCry that actually infected the computers not via email as a lot of people think but because of basically a bug in the Microsoft Windows environment, allowing it to get in; it would encrypt all your data and you would lose access to your data. And paying a relatively small fee to get back access to the data is very tempting. The nice thing of having backup, in our case email archiving but the same applies to having a file backup, is that even though in your computers or your network infrastructure, they might have gotten access and encrypted all the data trying to get you to pay the money to release it again (it’s held hostage, effectively), if you have proper backup in place, then there’s no risk there really because you can just restore your backup and you have all your data again. Obviously, you first want to figure out how they got it, but after you clean that up, you restore your data and you are back to operating your business without paying any of these criminals money. And it’s even worse if the criminal disappears and is maybe either taking your money or stops taking your money because he’s rich enough to go away and you just cannot get access ever anymore to your data. If you look at the number of breaches that we do know about, it’s a lot. If you think about the number of breaches that we don’t know about, it’s a lot more. And because for many years everybody has been very secretive around their data breaches and they try to hide it. Now that’s getting increasingly more difficult for one because there’s just all kinds of legal reporting now that companies are required to do so it’s more risky for them not to go that route. On the other side, there’s just the fun of the hacker to make it public, every now and then, what they managed to accomplish. If you look at the number of passwords that have leaked from the different websites, it’s huge. It’s incredible, almost everybody’s password is leaked from some sort of website. So it’s good that security is becoming a bit more transparent, that it’s okay to have been hacked as long as you explain what you’ve been doing to protect yourself, as long as you’ve made sure that you clarify what you’ve done to protect yourself against another incident like that, and make sure that you have a good security policy, etc. Because it’s impossible to be 100% secure, you can get close by deploying good security. You can never get 100%.

Ashley: You touched on a couple of other big costs there, too. I mean, you have to notify your customers or employees of a breach. That’s money. You have to invest in an investigation in order to figure out what went wrong so that you can create your list of improvements to tell your employees or customers or whoever’s data was made vulnerable. If it gets even worse, there might be attorney fees or litigation fees. I mean, the cost of a breach can really add up.

Dreas: Yeah, and security’s really, really affordable. If you compare that together, it’s you also insure your car. I mean, you need some protection and the protection itself is not so expensive that the consequences of not having protection are severe. But although I wish I could say that with email security you’re there, that’s not true. You really need this multi-layer of defense. You need to train your people. It’s a whole group of solutions you need to work on just because you’re too interesting of a target if you don’t have that in order, so it should really just be part of regular business. And that has always been the case, it’s just that it’s getting more and more attention because more and more getting into the public that was kind of secret before. There’s a lot of costs associated with data breach, although the direct costs are generally like any fines you may receive, and if you look at indirect cost, I think a big cost that people are often not seeing is that the data that is leaked, it’s very valuable again, for spammers or malicious actors because they can use a lot of that information, for example, pretending to be that person again because they have sensitive information on that person to do another spear-phishing attack, let’s say,, on suppliers of that company. Data in general, of course, is very valuable and once it’s out anybody has the data to use in their own way, there’s a reputation effect, etc. And I think the scary part is not knowing who has your data and what they’re doing with it. And that can trigger all kinds of long-term side effects.

Ashley: Another issue that I thought was a really interesting point that I think most companies might not think about when it comes to having an email breach is operational downtime. If you’re investigating a breach and your computers are down, that means work isn’t getting done, information isn’t being exchanged appropriately or quickly–

Dreas: And there’s cities being hijacked every now and then. I think there’s one recently and that happens all the time as well, where all the governmental computers are locked down with a password and they just have to pay a few bitcoin to get their access again.

Ashley: Right.

Dreas: But what it really shows us is…it’s easy for me to blame the security. Of course, I don’t think that’s necessarily true, but as I said, you can never be 100% secure. You want to make sure you have that archive of your email messages or you want to have a backup of your files to make sure you can always restore it even if after all security measures, something still goes wrong. It’s really a professional industry. There is a lot of money being made every day from the spam. It’s really professional organizations that are doing this, that are causing this.

Ashley: Well, you know, you touch on something really interesting because when I think of a spammer, I think of some guy sitting in his basement surrounded by monitors, just eager to watch the world burn. So it’s actually a really important lesson for me to hear that this is–it’s almost like the mob. It’s a professional organization whose entire purpose is to cheat people out of their money.

Dreas: Yeah, and it’s complicated because there’s actually different roles in those organizations. If we’re talking about the spammer, we’re thinking that somebody is sending out these messages, but what’s really happening is there is generally a store. Like taking the classical example, there’s like a Viagra store that this somewhat legit. What they’re sending is just sugar pills, but it looks legit. They’re nicely packaged. They actually send those products. It’s not that you’re not getting anything, necessarily. They actually send those products. But they’re just a small piece of the radar. Then there is somebody else that is collecting email addresses, maybe they’re hacking websites. We actually organized a symposium a couple of years ago where we had an ex-spammer, so we got quite some interesting insights from that. And they will try and hack forums, for example, where they were dealing with specific fetishes, for example, because if you have that data then you can send a very targeted attack to that group. So there would be a store owner somewhere that would be a person trying to breach websites, getting like personal information for targeted attacks, like a regular marketing campaign. There would be somebody hosting the website, there will be somebody else controlling the computers to send the messages and so there’s all these different roles and then in the end there is the one guy that brings them all together and facilitates the spamming, and everybody’s earning a bit in that process. And that’s why it’s also hard to figure out who the spammer is because it’s not one person. There’s all kinds of people involved and playing a small part in the overall picture.

Ashley: So when it comes to the difficulty in tracking down spammers, when it comes to the direct and indirect costs of a data breach, then the investment in email security doesn’t seem that difficult.

Mia: Well, Mail Assure is obviously an affordable solution. It’s easy, it’s simple, it’s priced per mailbox. Customers aren’t locked into a long-term commitment or contracts. Also, not a huge predefined number of mailboxes. So in that regard is actually quite, yeah, not such a big investment if you look at all the consequences.

Ashley: The good thing about it being priced per mailbox is it sounds like a company of any size, whether they’re a smaller MSP or larger and have upwards of 100 employees, it’s a worthwhile investment.

Mia: For sure. And obviously because it’s cloud-based, you also cut out the costs of hardware. So you don’t need any hardware, you don’t need to install anything. It’s super easy to implement.

Ashley: So what are some other things that make Mail Assure unique?

Mia: I would say one single important thing of Mail Assure is the additional layer of security that we spoke about. As we all know, email is the lifeblood of any business these days. If it stops, your business stops and it can lead to chaos and that is what we’re good at. Mail Assure obviously provides best-in-class email security and encryption to protect emails against all these viruses, ransomware, malware, spam, IP blacklisting that we spoke about, but then also the 24/7 built-in email continuity. Email continues to flow, so your users are never interrupted. People can always focus on their main business activities. I would say those are the two most important things and then obviously our in-house developed technology. I think that sets us on high bar compared to other competitors.

Dreas: I think that our ambition has always been to really try and free the world of the spam and that’s not because we believe spam would stop, but by making sure that we can adjust fast enough to all the spammers and the problems around email security. That we can respond fast enough to that, that it’s not so interesting anymore. And actually the [spam] market is changing. Email is getting less and less interesting because of the good security solutions out there. But we’re set apart by owning the technology so that we actually can control the entire process by owning the data. So if something is blocked, we know why and we can make a change. And we offer a global platform, so even if there’s like outages somewhere in the world with networks (which happens), it means that having the protection you can still be reached and still continue to use your email. So it’s really the whole suite of everything together that makes it very valuable.

Ashley: Mia, Dreas, thank you so much for coming today.

Mia: Thanks so much for having us, Ashley.

Dreas: Thank you for having us. Great being here.

Ashley: And thank you to all of you for joining us today. This is Tech Talks signing off.

Announcer: Thanks for visiting. We’ll catch you on the next episode of Tech Talks. And remember, we want to hear what you think! You can subscribe, rate, and review SolarWinds TechPod wherever you listen to podcasts.