What is Anti-Phishing?

Terms You Might Also Hear

• Business Email Compromise (BEC)

• Spear Phishing

Why It Matters

Email is a house of cards for most organizations and is the origin point of most cybersecurity attacks.

Problem Statement

• Phishing targets organizations of all sizes and people from all walks of life. The attacks can be both opportunistic and targeted depending on the motives of the attackers.

• Phishing attacks are largely based on financial motives, and no one is immune to receiving this kind of security threat in business and personal life.

• Many experts cite phishing as the first phase of most attacks leading to ransomware, business email compromise, extortion, and fraud.

• Some studies purport that phishing attacks account for 90% of all data breaches.

• Identifying, preventing, and responding to phishing attacks is a priority for most organizations, but little can stop the ebbing and ever-changing flow of malicious emails.

• Phishing and email attacks are not only increasing, but they’re also evolving. They are a part of life on the Internet.

Market Solution

Enter the Anti-Phishing product market space.

• Phishing, and people’s susceptibility to it, mean the product market space views this issue as a “human problem.”

• Solutions either have to teach humans how to not be tricked so easily or they have to accept that humans will be tricked and try to address the problem with the technology behind the scenes.

• Solutions in the anti-phishing space can take on different forms, and many organizations use most or all of these:

Content Disarmament

• By far the most common approach, these tools are designed to be in the flow of mail (between the person sending and receiving the email) to intercept, inspect, unpack, and potentially detonate malicious payloads like links or attachments.

• These tools prevent bad emails from arriving at the recipient. This is often cloud-based and happens per link.

Simulated Attacks & Training

• Platforms that allow a company to send “safe” phishing emails, SMS, and phone calls to employees as a means for training and awareness.

• These simulations are used to show how susceptible people are to phishing attacks.

• Learning and development platforms that educate employees using an online course format and simulated exercises to spot signs of phishing.

• These courses are tailored to an individual organization to train employees on spotting phishing attacks and handling them at their company.

Job Supplementation

• Digital and physical assets like posters, signs, stickers, and desk cards give employees constant reminders to be aware of phishing.

• Anti-phishing requires constant vigilance, so the goal here is to ingrain awareness and how to safely respond.

Players in the Space

This is not an exhaustive list. If I'm missing a company, let me know!

Predictions

• With COVID-19 and remote working becoming more of a norm, many companies will have to extend the reach of their security capabilities into employee home networks, which is arguably more hostile compared to a traditional corporate network with unmanaged and untrusted routers, printers, gaming consoles, and home IoT devices. A successful phishing attack that compromises one part of the home network can pivot to other devices on the network, including the corporate-managed laptop.

• Since phishing doesn’t have a work-life balance, remote employee protection, especially for high-profile executives, will be on the rise. Look for a rise in vendors and products that can serve both corporate laptops and personal devices with the same level of visibility and protection. There are obvious privacy concerns here. BlackCloakhas entered the chat.

• Acquisitions in the overall cybersecurity space will lead to vendors looking to have more of the security pie in an organization. Adding an anti-phishing product to your existing portfolio offerings will make it easier for companies to lock customers in.

• New products and payment models will emerge in this space. Area 1 Security already does a pay-per-phish model where a company only pays for the phishing emails the service finds/blocks. This may look to be an obvious conflict of interest, but there are greater network effects at play here when you opt-in to that ecosystem that everyone benefits from (i.e., think election security).

Opportunities

• Go multi-threaded. As a buyer in this space, you’ll need to deploy social, psychological, and technological means to keep your organization safe from phishing. One solution will not be enough, so think of Defense in Depth.

• Look for bundles where it makes sense. As mentioned in a previous issue, corporate buyers can rarely buy the best of the best. Bundling anti-phishing with Endpoint Detection and Response (EDR) platforms can increase your security observability where most attacks happen by volume - on an employee’s computer.

• Make simulation content dynamic. Most phishing simulation platforms are just versions of MailChimp. Instead of sending a singular email campaign to a list of users, make a platform that allows for randomization and customization. Send multiple emails with variations of domains and email bodies to make them harder to detect, like real phishing emails.

• Make it interactive. Train employees the same way you train developers to not write insecure code. Solutions that can offer immediate feedback and training at the time of click or in the email clients will teach users the point that it matters the most. This will be far more effective than the once-a-year training that employees speed-click through to the end.

• Apply the Principles of Chaos Engineering as an approach to phishing simulations. Taking the randomization step a big jump further, even the security team shouldn’t know when the phishing campaigns are being released, what they look like, and who they are targeting. No one should be spared.

• Product partnerships between anti-phishing solutions and end-to-end email encryption solutions can create a more robust service. Think of this “email security” and “securing email” as one service to customers.

• Managed Detection and Response (MDR) vendors will benefit the most from acquiring this type of product. This will be especially attractive to SMBs (Small and Medium Businesses) who need a full complement of security capabilities but who have little staff or little experience in the cybersecurity field and are often targeted more than large companies.

• This is an industry ripe for practical applications of Machine Learning (ML) on the end-user side. Machine learning is already happening on the interception and content disarmament side, but making it visible as people use email can help reinforce learnings at the time of receiving an email and will have hugely positive impacts on empowering security awareness at the individual level. Cybernite is doing just that.

Key Insights

• A good anti-phishing program is still only a small piece of the overall cybersecurity puzzle. This is one of the most important pieces, but you can’t overlook or neglect strong identification and protection defenses elsewhere.

• Anti-phishing solution implementations require nuance. Disrupting the user experience for the sake of security has a high trade-off of risk vs. reward, but it just might be worth it to reduce phishing attacks.

• Rolling out a successful anti-phishing program is more about constant change management than about the technology itself (as with most technology rollouts). You want behaviors to change, which is the hardest thing to do. Take a page from the experts on change management.

• Don’t “name and shame” with phishing simulation metrics to drive better end-user compliance and awareness. Showing month-over-month click rates by department or line of business isn’t useful to anyone.

• Constantly comparing your company’s phishing simulation metrics against your industry or peer companies doesn’t add value or drive action. Use it as a strategy to get the right funding and support at first, but showing the value over the long haul of the program is a challenge. If you can’t show a positive trend, then the money will stop coming, and it won’t be the technology’s fault.

• Showing ROI (Return on Investment) from an anti-phishing solution is hard. Each day, the goalposts get moved just a bit further. Make sure you are tracking KPIs that matter, not just metrics on who is not doing well.

Pro Positions

What type/size/stage company should leverage these platforms?

• Startups (1-250 employees) - Start looking at this kind of solution once you get past SOC 2 compliance and find the right EDR.

• Small and Medium-sized Businesses (SMBs) (250-500 employees) - make this a priority. The bigger you get, the more shots you’re going to have on goal.

• Larger Companies (>500-1,000+ employees) - same as the above, and the stakes continue to get higher, but you've likely got other defense-in-depth controls. Just to be clear - email should not be the final frontier of your security program, so this is mandatory.

What makes one of these platforms “good?”

• Look for solutions that meet individual users where they are. Platforms that can do point-in-time training and coverage will give you the best value.

• Look for solutions with more than one method of analysis and triage, and not one solely based on a rules engine that has to be constantly updated or otherwise it fails.

Out of the Players listed, who are the top ones I would consider?

• Area 1 Security

• Cofense (formerly PhishMe)

• KnowBe4

• Material

• Tessian

References

• The History of Phishing

• Business Email Compromise

• Phishing and Email Fraud Statistics 2019

• Verizon 2020 Data Breach Investigations Report

• Tackling Phishing and BEC Attacks

• Defense in Depth

• What is Machine Learning?

• More Than 8 in 10 Fell Victim to Phishing Attacks in 2018

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer. At the time of writing this post, I have no active investments in any of the companies mentioned above.

If I missed something (or am just wrong), let me know!

If your company is looking to get in front of a highly curated, hard-to-reach, and sought-after audience, consider sponsoring Return on Security.