February 14, 2017
Would it surprise you to learn that in recent testing Mimecast has seen a 13.2% false negative rate for incumbent email security systems? Does your current email security system let through an inordinate amount of spam, malware, malicious URLs, or impersonation emails?
How would you find out if it did? Is your primary source for detecting false negatives your users? Do you wonder how your email security performance compares with your peers?
The fact is, until now, there hasn’t been much data comparing or benchmarking the performance of email security systems. They all claim the ability to defend against spam, malware, spear-phishing, malicious links and other email attack techniques. But how good are they really? How do they compare in their ability to block opportunistic email-borne attacks as well as more targeted attacks?
In working with our more than 25,000 customers, Mimecast has seen firsthand that email security systems do not perform equally well. To address this lack of data head-on, Mimecast launched its Email Security Risk Assessment (ESRA).
The Mimecast ESRA has three goals:
- To test the Mimecast cloud security service against an individual organization’s incumbent email security system. To help the organization see in one report the number, type, and severity of email-borne threats that are currently getting into their organization.
- To inform the security industry with hard data on the effectiveness of various commonly-deployed, email security systems.
- To inform the security industry with hard data regarding the number, type, and severity of email-borne threats that are actively being used in attacks.
In an ESRA, Mimecast uses its cloud-based Advanced Security service to assess the effectiveness of other email security systems. The ESRA test passively inspects emails that have been inspected by the organization’s incumbent email security system and received by their email management system. In an ESRA, the Mimecast service re-inspects the emails deemed safe by the incumbent email security system and thus looks for false negatives, such as spam, malicious files, and impersonation emails.
The results we’ve uncovered so far are concerning: Email attacks ranging from opportunistic spams to highly-targeted impersonation attacks are getting through incumbent email security systems both in large number and in various types.
To learn more and to see the results of the ESRA tests completed to date, please check out this paper.
February 13, 2017
If you equate internal threats with just malicious insiders you need to read on. When thinking of the people behind internal threats you need to be concerned about three profiles, not just one:
- Compromised Insiders: These employees have had their accounts or systems taken over by an external attacker through credential harvesting, phishing or the installation of various forms of malware. While many of these takeovers are initiated via email, web drive-bys, botnets, and other modes of entry can also be the source of the compromise.
- Careless Insiders: There are also employees at every organization who ignore or simply don’t fully understand the organization’s security policies and rules. We call these folks, Careless Insiders. While ignoring security policies is not done with malicious intent, the actions – such as sending sensitive information insecurely or to the wrong people – can put the organization at greater risk of sensitive data leakage or attack.
- Malicious Insiders: And last but not least, are the Malicious Insiders. Though not common, malicious insiders do exist, and when they strike can cause significant damage. These rogue employees either intend to profit personally from or do damage to the organization by stealing, leaking or compromising confidential data or systems.
So, which one is the real problem? Unfortunately, the answer is all of them! In a recently published survey and report from Forrester, respondents were asked whether their organizations had had security incidents from each of the three types of insiders over the last 24 months. The answering was sobering: 63%, 57%, and 41% respectively had incidents from each type, respectively – Compromised, Careless, and Malicious. Clearly, internal threats are really threatening and not as rare as one might hope.
To more fully address the security threats represented by the each of these internal threat profiles, Mimecast recently announced the latest addition to our Mimecast Target Threat Protection security service: Internal Email Protect. Internal Email Protect provides for the scanning of attachments and URLs for internal-to-internal emails as well as content filtering enforced by Data Leak Prevention services. It also includes the ability to automatically delete infected emails and attachments from employees’ inboxes. In addition, so that your organization doesn’t become an attack stepping stone to one of your partners or customers, Internal Email Protect also adds the scanning of attachments and URLs for your outbound emails. Even more exciting, Mimecast is the only cloud-based email security service that has this capability!
Unfortunately, internal threats are a fact of business life. But by adding Internal Email Protect to your implementation of Mimecast Targeted Threat Protection, this service can reduce the risk that your organization will be negatively impacted by them.
View our Internal Email Protect Press Release here.
The RSA Conference whirlwind is only days away. Are you ready? Is it possible to be ready? Don’t forget to pack your Tylenol and your sensible shoes. Like many of you, even though the conference is for a full week, my free time at the conference is extremely limited with many competing priorities. Planning is required to make the best use of my time. Beyond working the Mimecast booth and meeting with customers, prospects, industry analysts, and journalists, what will I do with my free time? Attend some sessions.
In no particular order, here are the 5 sessions that have caught my eye that I will make every effort to attend:
- Lessons from a Billion Breached Records-Ever wonder what happens with all those stolen data and how they were stolen? And why do attackers often dump this data publicly? With breaches representing a billion breached data records in scope, it sounds like the speakers are in a pretty good position to sort this out for me.
- Cyber-Insurance: Fraud, Waste, or Abuse – Does this session sound a bit pessimistic about cyber-insurance? I frankly have not understood how insurers can reasonably underwrite a risk, in this case cyberrisk, for a loss whose probability of occurrence and size of impact is impossible to predict. I am expecting a cautionary tale in this session for sure – maybe even some anger!
- Practical Intelligence Sharing: ISACs and ISAOs– Intelligence sharing has certainly made progress, but it seems to me that we still have a long way to go. This session is closely related to my current strategy focus at Mimecast as we collect a tremendous amount of data by processing the email of our 20K+ customers and inspecting ~650M emails every day for threats. But how best to share the meta-information we glean from this data with customers and industry groups? I hope this series of sessions will add to my insights on this.
- Targeted Attacks Against Corporate Inboxes – A Gmail Perspective– Another session of the five that directly relates to what we do at Mimecast for email security. Always interesting to hear what one of the big email service providers is seeing and doing (and not doing) around email security.
- Psychology of an Eastern European Cybercriminal: Mindset Drives Behavior– Under the guise of knowing your adversaries, this session looks quite interesting as it will focus on making some of the nameless and faceless cybercrime bosses a bit more human. While I don’t expect to come out of this session with any sympathy for them, perhaps I can pick up some tricks to help our customers better defend against them.
In my 15 consecutive years of attending RSAC, I never cease to be amazed by the scale and scope of the conference. Let’s all try to attend some sessions this year! These are my 5 suggestions. What other ones do you think should be on my list?
Recently, the State of New York has taken steps towards passing the nation’s first cybersecurity regulation which explicitly tells financial organizations in New York what they must do in their security program. You can read an overview of this in the article, “Full Employment for CISOs in New York.”
The main question I have is, does it make sense to legislate the details of a security program versus allowing organizations to build programs that meet the business needs and risk tolerance of their organizations?
Before I answer that question, let me first state that overall, I believe the directives in the regulation generally make sense. In fact, they are practices that most security professionals would have as part of their standard operating procedures. It is a little odd though that they explicitly call out two technology areas – multi-factor authentication and encryption – for inclusion, while staying very high-level on the other security control areas. Again, not that multi-factor authentication and encryption are bad areas to focus on, but why are those included and while other important security controls, such as email security, Web security, anti-virus, identity management, and many other security categories?
Now back to the main question of this blog, is legally requiring specific security practices a good thing? My take is no. However, should regulators consider cybersecurity as part of their supervisory responsibilities? Yes, as part of their view of the organization’s risk management program. Ultimately, organizations are responsible for their own risk management programs and how much risk they can tolerate and how best to mitigate that risk.
Just as regulators don’t direct in detail other aspects of the organization’s business practices, nor should they do it for their cyber risk management practices. There are just too many opportunities for unintended consequences to arise. For example in my experience the more detailed the regulation, it not only becomes overwhelming for the CISO looking to implement, but there’s also a greater chance that the security program turns into a checklist program and not a risk management focused one.