Preventing Bad AI: How SOC Teams Are Preventing AI-Generated Attacks

Show Notes

Mick Leach is Field CISO of Abnormal Security, an AI-native email security company that uses behavioral AI to prevent business email compromise, vendor fraud, and other socially-engineered attacks. At Abnormal, he is responsible for threat hunting and analysis, engaging with customers, and is a featured speaker at global industry conferences and events. Previously, he led security operations organizations at Abnormal, Alliance Data, and Nationwide Insurance, and also spent more than 8 years serving in the US Army’s famed Cavalry Regiments. A passionate information security practitioner, Mick holds 7 SANS/GIAC certifications, coupled with 20+ years of experience in the IT and security industries. When not digging through logs or discussing operational metrics, Mick can typically be found on a soccer field, coaching one of his 13 kids.

Abnormal Security: https://abnormalsecurity.com/unfiltered

Abnormal Security
Abnormal Security provides the leading behavioral AI-based email security platform

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:00: Mick Leach's Journey Into Cybersecurity
• 11:59: Lessons From Security Breach
• 17:28: Cybersecurity Challenges and Changing Mindsets
• 24:21: Trust and Verification in Security
• 33:09: Emerging Threats in Email Security
• 48:49: The Future of Email Security
• 54:42: How to Find Abnormal Security

Transcript

Speaker 1: 0:00

How's it going, everyone? This is another security unfiltered podcast episode where today we actually talk with Mick Leach from abnormal security. Abnormal security actually sponsored this podcast and again, you know, just remind you guys, they didn't determine any questions that I can ask them or anything like that. You know, they just believe in what we're doing here at the podcast and they wanted to support the podcast and so that's how it all kind of happened, right? So, you know, with that, let's go ahead and dive into the episode. I think you guys are going to love it All. Right, see you guys, how's it going? Mick, it's really good to finally have you on the podcast. You know, I think this one we actually put together pretty quick. You know, most of my guests, it takes about like six months to come on. Honestly, like it's my backlog is insane, but we were able to put this thing together pretty quick and I really appreciate that Certainly, yeah.

Speaker 2: 1:05

Thanks for having me, joe. I really appreciate it. It's great to be on the podcast.

Speaker 1: 1:09

Yeah, absolutely Well, mick, you know before we dive into. You know abnormal security and everything. Why don't you tell my audience you know your background right how you got an IT? Maybe why you got an IT? The reason why I have all my guests start there is because you know everyone's coming at this from a different background. They're all coming at it from you know different skill sets and whatnot. And if I feel like, if they can hear, you know a matching background, a matching skill set, they can then know like hey, this thing is possible Right. Like I didn't know that this was possible at the time, but now I think I can actually do it. So what's your background?

Speaker 2: 1:56

with it. Yeah Well, hopefully my story is a little bit inspiring in that case, because I did take sort of the scenic route to cybersecurity. So I joined the military, was in the army, the US army go cap scouts, so you're familiar with that. Was was a cap scout for eight and a half years with the US army and as I was getting ready to get out it became time to start figuring out what next looks like. And had been interested in computers for a long time, really enjoyed working on them, had been in my, in my unit.

Speaker 2: 2:30

I was early on the only guy that knew how to type. I'd taken a typing class in high school. I failed that class, by the way, was terrible at it, but still was the only guy that knew where the keys roughly were and got suckered into typing all kinds of non commission officer evaluation reports, these kinds of things. And so suddenly it became known as the computer guy in a combat arms unit. So it was. It was a little unusual there, so I get out and ended up having an opportunity right away to work with Linux. And so I was supporting custom based Linux applications, a small telecommunications company, and did that for about four years before an opportunity to join nationwide insurance, came along as a system administrator there and did a variety of different system administration things, really getting into encryption decryption of data and motion. So there was PGP, sftp, fts really encrypting and protecting data in motion and that was kind of my first foray into cybersecurity, so fast forward to about 2012. And they were looking to start creating a security operations organization, and I was given the opportunity to join that group from the ground level and was jumped at that chance and realized this is what I was made for, you know, being able to protect with ones and zeros digitally felt so in line with my background in the military, and it really just felt like this convergence of everything I had been doing and loving for the last, you know, basically my whole life, and so I jumped at that chance.

Speaker 2: 4:14

Of course, nationwide at that time experienced a relatively public breach. What that meant, though, for me was that and it happened to be my first week on call as these go what that meant, though, was they opened the wallet and said how do we fix this? We hired a lot of consultants that came in and helped us build an elaborate security operation center becoming larger than Natta Security Command Center, and I was one of the founding members of that, so learned a great deal about building and running security operation centers, had the opportunity to move from there after that was reached a steady state to a company called Alliance Data and did much the same thing for them building and optimizing a security operation center there. Did that for about four years and then knew that my next role. I wanted to make an impact at a higher level. Right, I want to move the needle on the industry.

Speaker 2: 5:11

Protecting one company is valuable work. Right, that's honorable work. But I wanted to be able to make that impact broader. And so that's when I knew the next move would probably be with a vendor. And I had bought and used abnormal security at my last company for about a year and loved it and added them to the list of companies that I would love to work for. And, sure enough, an opportunity came available. So I've been here. I was security hire number two at abnormal security yeah.

Speaker 2: 5:44

Yeah, and so my CISO. My Britain is an old friend of mine, and so getting to come in and build from scratch, really put your finger on you know your fingerprint on something from the beginning was such a great opportunity. So did that for about the last two years and have just recently about two weeks ago moved into a field CISO role where I get opportunities to talk with folks like you.

Speaker 1: 6:11

So you know I have a lot of questions about that journey. You know. So, when you started out with Linux, you know what was that like, because Linux is unlike anything else really, and I assume you know you're talking about the terminal side of Linux, not the fancy gooey side. You know that everyone is used to. What was your experience with that? What was the ramp up like with that? You know because I actually started my career with Linux and I mean it's like drinking from the fire hose on steroids. It's like wait a minute, the network stack works like this. You know, and I'm just getting out of college, I'm like wait, I just learned how to spell it. Like what are we? What are we talking about?

Speaker 2: 7:01

here. Yeah, yeah, no, it's funny. You say that I couldn't have put it better right. Drinking from a fire hose on steroids, that's absolutely what it felt like. I will tell you that on the tail end of my military career, as I knew I was getting out, I had the opportunity to go to to a Solaris course. So they sent me to a Solaris course and I'll never forget, I felt like the biggest bonehead in the room because, you know, I was half paying attention, thinking about when's lunch, and suddenly it was time for an exercise and and the first, the first step was to install Solaris.

Speaker 2: 7:39

And so we're working on that and and I've got the CD in and I and I could not, for the life of me, I'm hitting the button, the eject button could not figure out how to get the, the CD out, to change CDs to the next, the next run, and I couldn't figure it out. I felt like a moron. And so I I was like sorry, I'm going to have to raise my hand and just ask how do you get it to eject? And he's like type eject. I was like no, no, no, like really, he's like seriously.

Speaker 2: 8:09

So that was the first time that I remembered thinking, oh, this is very different, you know, than the world that I had been raised in. At the same time as we started to get into the tech stack and we started to see how the disk was, was partitioned and and data was stored, and you had so much more granular access to where you were putting things on disk and the ability to go and see things directly on the disk, I was like, man, this is fantastic, you don't have any of this with with Microsoft, and so. So that's how I kind of got into it learn just enough to convince somebody to hire me, which was probably a mistake initially, but they gave me a chance and and I wanted to prove them right, so so did that. That was 21st century communication. So got in there and they were very patient and allowed me to make a lot of mistakes and learn a few things the hard way and a lot of things the easy way, thankfully, yeah, it's.

Speaker 1: 9:10

You know it's crazy when you, when you go from something like Windows it's very user friendly, you know. And then you go to Linux and you're I mean you have to like, like you said, you didn't know how to eject the desk, like on Windows. You hit the button, you know you don't type eject or anything like that, you're not clicking anything. You hit the button, you assume it's going to work, but in Linux none of those, none of those features and functionalities tie together right. You have to actually create the tie. You, if you want that button to eject, you need to write the script that says eject. When this is pushed, you know, like that's what it is, and you know. Same thing with. You know, like partitioning a disk.

Speaker 1: 10:00

I mean, oh my God, and I tried to do encryption at one point on Linux. I mean my brain was melted. I actually needed my VP to come over because he was the only person at the company that knew how to do the encryption and I mean I had to have him just come over and just type and I just took notes on the side, just like my brain was melted after like two hours of that troubleshooting it, not knowing you know what the hell is going on not looking at the right log files, like I was just having a terrible time.

Speaker 2: 10:33

Yeah, yeah, no, I agree. And so moving the good news was right. Learning with Linux early on, especially with like old school Solaris, and then moving to like red hats, is something a little better supported. You know you learned a lot of things the hard way, sort of the old school way, and while there are new, far more, you know new fangled ways of doing things. You know said knock can get you pretty far. So I kind of lean on those things from time to time. But yeah, learning from the beginning was great.

Speaker 1: 11:05

Do you ever, do you ever work with Linux at all, like on the side even? You know I find it that. You know I can't stay away from it. Honestly, you know I still have a VM that's forever, you know installed with a Linux flavor. That that I like, that I prefer, which, embarrassingly, it's Ubuntu, because I like the ability to have that GUI and also be able to do things in the terminal and feel like I'm getting things done. But I use that for very like select things you know, within my home network, sure.

Speaker 2: 11:41

Sure, yeah, no, I absolutely it's still. It's like, it's like an old pair of comfortable shoes, right, it's still the most natural, most comfortable thing. So so I still do, just like you in my home lab, have a couple of VMs of Linux. I've got, a couple of Ubuntu versions I've got. Of course, you can't be a security guy without having at least one instance of Cali running all the time. Adhd, which I really like. Active harbinger, active defense, harbinger distribution really good there. So yeah, just a few different security onion. You know you've got to have a few different versions running in the background, but it's still the most comfortable for me, especially if I'm going to get into log analysis.

Speaker 2: 12:25

Yeah just nothing beats a great grep said AUK, you know ability to parse tons of data.

Speaker 1: 12:35

Yeah, yeah, absolutely. Once I learned that it was like having a superpower in Linux. It's like wait a minute, I don't have to sift through this log and search for things and all that you know. So when you, when you started at nationwide, you said the first week they got breached.

Speaker 2: 12:53

So it was the first week of my move into security. So I moved into a security focused role. It was the first week that I was on call and I remember joining the call and thinking, wow, this is an exciting call. And then it got very exciting and and I realized I'm in, I'm in over my head and so we had, you know, I had to call in for some help. But that being at the very front end of that and then actually seeing a large company work through a pretty large scale breach, that, that made an indelible, indelible impression on me because it taught me so much about security, the legal side of things. You know the way we we protect information, the way we share information, all right at the very beginning. So it was like a crash course and you know you, you can't pay for that kind of experience?

Speaker 1: 13:50

Did they? Did they already have a security team stood up?

Speaker 2: 13:55

Yeah, yeah. So a lot of those. And that's what, as we brought consultants in, that's what we learned is that a lot of the right things were in place. You know, it wasn't a lack of skills, it wasn't a lack of people, a lack of tooling. What it really was was a lack of coordination. So we had a lot of disparate tooling, a lot of disparate capabilities spread across a very large organization, and what we learned is that we needed to better unite those capabilities in under one house, right under one floor, so that we could better communicate with one another. And that made a world of difference.

Speaker 2: 14:28

You know like large, any large organization there were. You know territorial things where you're like oh that's, that's my world, you got to stay out of that. You know, you got to stay out of that area, that's mine and this is our world. And now we don't touch servers, we only work in. You know endpoints and you know. So we had to break down some of those walls, deal with some of those sort of past sins and and then figure out how to better collaborate going forward.

Speaker 1: 14:55

Hmm, yeah, you mentioned, you know, the, the checkbook opened up, which you know, for a security person. That's like what you've been waiting for. And I went into a credit bureau right after a breach at one of our competitors and I mean, it was anything you want, like name, your number, it literally doesn't matter. We have a blank check from the CEO saying that we can do this. You know, apparently, apparently my manager this is a couple weeks before I got there, apparently, my manager actually, you know, was at the bar across the street with a bunch of the team and he was drinking a beer and he said you know what effort, you know I'm gonna, we're going to deploy this thing, we're going to buy these tools, like screw it. You know, the company is just going to figure it out. And I mean, like that was for the company, that was the best decision, because we desperately needed that technology in place before the team the team around him it was.

Speaker 1: 16:05

It was miserable because not only were we trying to ensure that we want to get breached, like our competitor, but now we're, you know, trying to deploy these tools at the quickest pace of these vendors had ever seen. You know, I talked with the vendor that I was in charge of their solution and I asked him you know what's the quickest deployment you've ever seen with this solution at any other customer? And he said, oh well, I'd have to. I have to, you know, ask around and get back to you, right? They said the quickest full deployment was 18 months. I said, okay, you know what did we do it in? He goes you did it in six weeks. Yeah, oh, I guess that was a little quick.

Speaker 2: 16:52

Yeah, yeah, and I actually had a similar experience right coming here to abnormal security, where we were able to buy and build things very quickly, which was for me a whole new world, because in a massive fortune 500, fortune 100 company, you know things move slowly and there's lots of red tape, and so you know to deploy a new sim would take 18 to 24 months, you know here, you know, three weeks, because everybody is pulling in the same direction.

Speaker 2: 17:23

It was a massive difference. So that's exciting, I will say. Part of the problem with the blank check, though, was that, because you know they did, they, the CEO, cfo, they all come down and say, okay, just tell me, tell me how much to write this check for us that we never have this happening. And that's where you have to have our conversations say, guys, it's, it's not how it works. Right, we can build a lot of defenses, we can better protect ourselves. We can certainly lessen both the likelihood and the impact of a compromise going forward, but to say it'll never happen again, that's, that's not something that we can do. So what we'll do is better position ourselves to lower the likelihood of it happening again, but in the event that it does and it likely will at some point but in the event that it does will lower that impact as well. So that's the key. That's what we're trying to do. It took a minute to kind of re-scope people's mentality on this.

Speaker 1: 18:24

Hmm, yeah, that's. That's interesting because I feel like you know executives at that level they're not, they're not used to not being able to throw money at a problem and have that problem be fully resolved. You know, that's always kind of the question and the approach that's taken. But with security it's like, yeah, we could throw $20, $30 million into this thing, we could have the best tech stack, the best you know engineers in the country working on this thing, and we could still get breached by something that you know we didn't even know existed. You know, because that's what a zero day is. You know they could use, they could literally just use a zero day on us and get around everything that we just did.

Speaker 1: 19:18

You know, and I feel like it's also really important to what you did, there is, you know, explain it that way, you know, because a lot of security teams would just take that money and you know, like run for the hills basically, and that's maybe the worst case because what if you take all that money, you deploy all these tools, do all that work, you get the increased headcount and then you get breached. Well, now your job is at risk because you didn't properly, kind of prepare them. You know for that reality. And so now it looks like you're incompetent, when in all actuality you're not incompetent, you know. It's just how it works. In security, yeah yeah, absolutely.

Speaker 2: 20:01

It takes a while to change the mindset right. That's the big, that's the key thing, I think.

Speaker 1: 20:08

Yeah, that mindset is the hardest thing I feel to change. You know, right now I actually I work at a pretty large company and when you said, you know, yeah, it's going to take 1824 months to deploy this SIM, you know it took me. It took me like 12 months to get through a POC of a far smaller solution than a SIM. It's like embarrassingly slow. You know, like guys, I would have had this done in three weeks, like, come on, just let me, let me do some work.

Speaker 2: 20:43

Yeah, yeah, I know I'm with you, yeah. And the other thing in terms of, you know, avoiding future compromises is that, no matter how good your tech stack is, right, bad guys are always coming up with new and exciting ways of circumventing them. So you know, you look at some recent breaches that we've seen hit the news. You know they're not even targeting technical things anymore. They don't even use a zero day. Often it's not, it's not nearly that complex or technical. They just pick up the phone and call the help desk, right. It's more social engineering that we're starting to see these days, right, Because people are easier to hack than systems. It's just that simple.

Speaker 1: 21:28

Wasn't that the case with LastPass, the LastPass breach, where they like called up support and the support guy had enough access and they just sent him a link and he, you know, he clicked on it, like he normally would, you know, and it completely compromised LastPass as a whole.

Speaker 2: 21:46

Yeah, yeah, or you look at some of the recent things happening in the desert, right in Vegas, you know where they just picked up. Picked up the phone, called the help desk purported to be you know a high level security engineer and they reset his password, they reset his MFA for him, and suddenly we've given the keys to the kingdom to a bad actor. Right, it wasn't enough. They just reset his creds, but they also reset the MFA token so that he could get directly in the right way. Right, he didn't have to print anything. There was no like, there was. No, there was no link, there was no malicious activity of any kind apart from social engineering. And that's really what we're starting to see these days.

Speaker 1: 22:32

Yeah, it's really interesting you bring that up. You know, when earlier on in my career I did a lot of work with the government and there was a slew of documentation and background checks that I had to do and I didn't even have a TS, right Like I didn't even have Top Secret, I didn't even have Secret, you know I couldn't touch a keyboard and I still had to fill out like a 80 page document about. You know, every place that I've been since I was born who.

Speaker 1: 23:05

I spoke to like, yeah, all that stuff you know, and one of the things in there like a part of my training, I guess you know, I was talking to my handler and we somehow we got into this conversation. It was pretty late at night so I don't remember quite exactly what it was, but we were discussing about how people get compromised and he said, you know, from his own experience, right, he, you know, he had a sick kid with cancer. His credit card bills were very high and he was waiting on a tax return to actually pay off the credit cards. Because, you know, he's in government, he has a clearance, he has to make sure that it's low. But it wasn't anything that he did, you know, like he wasn't buying cars, he was like he was buying medicine for his kid and so the agency knew about it. You know, they, they were very understanding of it. But he said that you know, enemies will look at that and say, oh, we could cut him a check for, you know, a small amount of money 20 grand and it'll alleviate that debt and we'll do that. Just for a name, right, he doesn't have to tell us anything else was doing.

Speaker 1: 24:25

For a name they make it sound very small, very minute. Like what would you ever do with a first and a last name? Like I'm not even giving you the title, you know, like nothing like that, and you know that's a good point, right. Like I don't know if something like that took place, but like these, these, these people out there, you know that that don't like America or don't like your company or whatever might be, they will literally, you know, pay you tens of thousands of dollars just for a name. I mean, that's a, that's an absurd topic to me, right to go down, because to me that means nothing and that's such a minute thing. I would never, personally, if I was ever confronted with that situation. I mean, now, obviously you know I wouldn't make that choice, because now I have that knowledge, but beforehand I would never, I would never second guess it. You want to give me how much for a name? Dude, I'll give you the roster. You know, like that's where my mind would be.

Speaker 2: 25:33

Sure, yeah, and the thing is and while that definitely happens right, I mean, when I was in the military, that was definitely something that we talked a lot about, you know is reporting those kinds of things. We're well trained to expect and report those kinds of interactions, regardless of how innocuous they seem. You know? You look at Tesla. A few years ago, there was an external threat actor that offered a Tesla engineer significant money to just simply produce a single file of malware and let them they'd take it from there, and it was, and he thankfully reported it. So it didn't become an issue. But more, what we're seeing, at least in my experience, is bad actors that are preying on the good nature of human beings. You know, as security people, we don't trust anybody, right?

Speaker 1: 26:31

I suspect everything.

Speaker 2: 26:33

I'm paranoid, that's just. You know, that's how we are built. However, like Marcy, over in finance isn't built that way, right, they're just people in service roles. Their job is to help people. If you work in finance, your job is to pay bills. You know, if you work in HR, your job is to help people solve problems. And so when someone comes to you needing a bill paid or needing a problem solved, they don't typically look very deeply into those things. They just don't suspect, you know, bad motives, and so they respond to that call for help. Right, you know? I've talked to an FBI psychologist just before who talked about the power that comes with the request for help. Right, I need your help. Those four simple words right, I need your help. Those are powerful words and they can elicit people to do things they wouldn't otherwise do or that they might be more suspicious of. But because they feel like they're helping someone, they'll do more, they'll go further and not be suspicious, not think they're doing anything wrong and yet be the source of the compromise.

Speaker 1: 27:51

Yeah, that's a really good point that you mentioned. You know, security professionals are some of the most paranoid people that I know. You know I feel like calling it paranoid is not doing it justice, but you get what I'm saying, you know. I'm sure all of our listeners, you know, understand that, which you know brings up a good point. You know, currently, and my current role, right, we POCed a bunch of different WAF solutions, chose one of them and my first response was hey, I want to stand up a Kelly Linux box and I want to pound this thing when we deploy it right as it's going live. As we're creating the rules, I want to make sure that these rules that they claim is working. I want to make sure that they're actually working.

Speaker 1: 28:41

And almost everyone in the room was like you know, you think that they wouldn't, you know, already know that this is working when they're deploying it. Like we have the vendor that created it deploying it for us. I'm like, yeah, that doesn't matter to me. You know, if we're spending this amount of money, we need to know definitively it's working. Like not know, you know, oh, yeah, I'm sure it is. You know, I configured it right. Like no, I ran the configuration issues in the POC for a reason you know, like I configured it to the best of my knowledge and it wasn't working. Yeah, you know. So what does that say about, you know, this solution? Like I have my own thoughts on it, but obviously I want to, you know, trust but verify. And I think the only other person in the room that agreed with me was my CISO. He's like, yeah, that's exactly why you're here. Like we need someone thinking outside the box, because everyone else in this room is just going to blindly trust this vendor because they put, you know, millions of dollars into this product.

Speaker 2: 29:44

Yeah, I'll tell you, the military does a good job in a few areas and one of them and I'll be honest, I didn't understand the need for it then because it was not very pleasant. But when you go through the gas chamber in basic training, right, we have this CS gas. It's a tear gas, very like you know military grade of tear gas, and to give you confidence in your mask, you have to go through this gas chamber. And so you'll go through. It's very unpleasant. They give you the mask. They tell you the mask works.

Speaker 2: 30:18

I was initially comfortable trusting. I just I'll trust you. I don't need to go through the gas chamber for you, you know, to trust that the gas mask works. But the reality is for all of us to truly understand and appreciate that it works. You got to test it and you got to test it in the worst way, which is you go in there no mask, right, or you go in with the mask, then you take the mask off, you breathe in, you choke, you cry, right, and then you throw the mask on and realize this works. And so it was a lot about not only training how to use it, but it was also learning to trust that it works. I think that's an important lesson in terms of security tooling today as well. Right, we can trust the vendors so far, but I would encourage you and I tell that to my clients right, our customers throw everything you got at it right? That's how you'll trust it and how we'll make sure that we're meeting your needs. So that's absolutely critical.

Speaker 1: 31:22

Yeah, that's a huge thing that trust would verify. You know, when you bring up the gas chamber there, it makes me remember, or recall, when people were saying that that's too cruel. Right, that's like too cruel for our soldiers to go through. It's like the very first time that they should experience CS. Gas should not be on the battlefield. They need to know one, they're not dying and two, they can get through it because they did it before.

Speaker 1: 31:57

All of these things are absolutely critical. It's the same thing with security or IT in general. You have to build up that resistance. You have to launch a cross-site scripting attack yourself to understand what's actually going on. When I understood what a cross-site scripting attack was, it wasn't because I read it in a book, it was because I did it and I saw oh wait, a minute, I just made this query a little bit weird and I got back three accounts when I should have got back one. Okay, now I kind of understand what's going on. Here I get the function that's going on, which I think is an interesting segue into abnormal security. So let's start with what abnormal is. What's the problem that abnormal security is trying to solve?

Speaker 2: 32:55

Yeah, so abnormal security is an AI native, an AI native email security solution that uses behavioral data science to really baseline your environment and understand deviations from nor so, if you think. If you go back a little bit in history and you think about the move from antivirus to EDR, right, instead of trying to define what evil looks like and then find it based on what we know it looks like, edr changed flip tables. It changed the game entirely and said what if we don't care what evil looks like? What if we just know your environment so well that when we see a process run and spawn another process, right, microsoft Word shouldn't probably spawn another process? That would be incredibly unusual, at least certainly 10 years ago, maybe a little less so today, but still there are certain behaviors. Regardless of how evil gets into an environment, it sort of standardizes in what it needs to do next, and so that's how EDR changed the game. Well, abnormal came along and our founders didn't come from the email security space. They actually come from AdTech, so advertising, and they had learned a lot about machine learning and understanding behavior through machine learning algorithms, large language models, and so they were actually behavioral data scientists and started to talk to other folks in the security industry and said what is a problem that isn't solved?

Speaker 2: 34:34

Well, today, and one thing kept coming up email. You know it's 2023. At the time it was 2018. And we're like, look, email's been around since the dawn of time in terms of the internet and networking. Why are we still talking about email security? And the reality is because nothing had really solved it completely. You know, you think about what we used to see malicious links, malicious attachments. Those were the kind of the bread and butter of bad guys. And the reality is today, you know, bad guys aren't even using these tried and true methods. We've trained our users in all what worked then, but are now the wrong ways to think we train them. Don't click on any links, and you'll be fine. Don't open any attachments from somebody you don't recognize, and you'll be fine. Look for misspellings or bad grammar, and that's how you know you found the bad guy. Right, that's a phishing email. Look, the reality is bad guys have departed from those tried and true methods in favor of more advanced attacks.

Speaker 2: 35:47

Right, first, it started with Grammarly long before generative AI was a thing. Right, ai, ml, nlp, these things they've all been around a good long time, but the transition into AI that generated net new content. That is a relatively new concept. Right, chatgpt was released almost a year ago today, right November 30th, I think 2022 kind of changed. But even before that they were using Grammarly to improve and so. But now, with the advent of ChatGPT and Bard and other generative AI solutions, we're seeing threat actors that couldn't formulate a coherent English sentence two weeks ago can now write a very they can craft a very good, realistic phishing message, probably better than my 10th grade English teacher, mrs Fox, I mean, and that's saying something. So that's what we're seeing is things are leveling. Generative AI, ai in general, has leveled the playing field for bad actors.

Speaker 1: 36:57

Hmm, yeah, you bring up a very valid point. Is that email security really hadn't changed in, I mean, a decade? You know, like it's kind of the same exact thing, like oh, this is how you train your users on email security. These are the rules that you configure. You know, like it's such an antiquated method it would never keep up, you know, in modern day. You know security, yeah.

Speaker 2: 37:28

Yeah, and so, at my last, my last job, you know, I just had never seen a good solution to an email that simply said hey, bill, it's Bob, give me a call when you get a minute, because that's what we're seeing today. Right, bad actors, it starts with a conversation. Right, if they can, the social engineering attempts that we're seeing today, really just seek to start a conversation and carry it from there. Business email compromise is the number one, you know, at least in terms of financial impact, the number one security threat for the last three or four years running, according to the FBI's ICEN 3 report.

Speaker 2: 38:05

So, you know, this is what we're seeing. And so when I and I remember thinking at my last company, I had all the right tools, had a wonderful tech stack, I'd spent three years building with my leadership, flipped it over entirely, had upper right quadrant stuff across the board, it was the tech stack of my dreams.

Speaker 2: 38:26

And yet there were still things slipping through and so we needed to think about things differently. Right, you look at the way email security has traditionally been you set a secure email gateway on the perimeter of your environment to protect you. That's great. It's largely looking for again defined evil. Right, it knows malicious IPs, malicious URLs, malicious attachments, but if those things aren't present and if DMARC, dkms, pf all check out, it's going to deliver that message regardless of what it says, because it couldn't really look into the body of the message.

Speaker 2: 39:07

And then I took a meeting with Abnormal's founder and he explained Zanjay. He explained that Abnormal was fundamentally different. Rather than trying to sit on the perimeter and guard things and evaluate them as they pass, it would sit outside as a SaaS solution. It would sit outside your network entirely and make API calls directly into your email tenant, evaluate every message, including those that are that east-west traffic that nothing else could see. Right, 70% of all email traffic is internal and so tags are blind to that. And so, hearing all of this, I said, okay, that's great. I mean, how long is this going to take to install? This is going to take months. You know, I was a Fortune 500 bank. I mean, I couldn't do anything in weeks, let alone months, sending up the infrastructure. It's going to be a nightmare. And he said no, no, no, no, no, that's not how it works, it's all going to just take minutes. It takes three clicks and because it sits outside, you don't have to change your mail flow, you don't have to make MX record changes, right, all you do is give it the creds and we're off and running. And I said, okay, we'll see. And sure enough we did. We set it up as a POC and I got a report the next day and I'll never forget looking at that report, thinking wait, wait, wait, wait. Let me just understand. All this is slipping through my tech stack right now. And he said, yeah, and listen, we want to, we want to call your attention to one message in particular. This one here. This is your HR business partner corresponding in real time right now with a threat actor. And I went no, no, no, no, oh my gosh. And sure enough it was.

Speaker 2: 40:56

That particular one was a direct deposit fraud case where they were trying to convince our HR person that one of our internal users was trying to change their direct deposit. They were on vacation and, to be fair, the threat actor had done their homework. They used the world's greatest hacking tool, linkedin, found someone with a high you know big title and probably a lot of money, went cross-referenced that with Facebook, saw that they were posting pictures from Cabo and realized this person's on vacation. They created a Gmail account. That was the user's first name, dot. Last name, addgmailcom it was an unusual name and it looked very legit.

Speaker 2: 41:41

And from that email sent a note to our HR business partner and said hey, I just I'm on vacation. That's why I'm emailing you for my Gmail account. I don't have access to my corporate account right now. I just realized we changed banks before we went on vacation. But this is really important. I need you know we're on vacation. I need my next check to come to the right bank. Can you take my direct deposit information? And she was like no, you didn't fill out the right form. It's attached for your convenience and wouldn't you know it? Threat actor fills it out, probably better than any employee ever would, and she was getting ready to make those changes when we caught it. So, as I say, it didn't take much more to convince me we found the right.

Speaker 1: 42:32

So you know what I hear a lot of the times. You know everyone's using Microsoft Office. You know 0365, right, everyone kind of thinks that Microsoft has this stuff. You know kind of locked down that it's, you know, not going to really get through. You can get by with their default settings. You know what I mean. How do you break that mold? You know? Do you break it by showing them? Because I'll tell you right now. Actually, you know, we looked at abnormal internally, right, and it was that exact same mentality. It was like we already have Microsoft. Like what are they going to provide that Microsoft isn't? And then when we talked to Microsoft and Microsoft referred abnormal security and we're like, oh, wait a minute, like Microsoft provides similar things and they still refer to us to abnormal, you know. So, like, how do you break down those boundaries?

Speaker 2: 43:40

Yeah, I think the key thing is to understand the differences. Right? Microsoft, to be fair, very good, right? If you've got an E5 license and you've got all of this spam stuff turned on, you've got they do a great job with defined evil. Right? If they know that this is a known malicious IP address, a known malicious sender URL, if you know they can look at how recently the URL was stood up, they can do lots of things on the front end.

Speaker 2: 44:10

However, where they admit right to their own. You know, as they brought you guys, you know they told you guys to look at us. You know they're admitting that there are still things that they don't do well, and one of those is identifying malicious activity without a link, an attachment, without any known evil, and that's where we come in. We're using those large language models, we're using behavioral data science to baseline your entire environment. So what I say, what I mean when I say that, is that you know when let's go back to that that added you a moment ago hey, bill, it's Bob, give me a call when you get a minute right, the things that we may know. Having lived in your email environment for a while, we know that Bill actually goes by William right.

Speaker 2: 45:02

Bob knows that, and so for the first time ever, bob calls him Bill instead of William. Even though they've been friends for a long time, they've traded thousands of email messages, he's never called him Bill. Well, that's unusual, right. And then it comes from a place that we just don't expect, right, where the timing is off. You know, there are certain things tonally, by using, by evaluating the content of the message, using natural language, processing large language models, what we can do is understand, break, parse out the message itself, the message body, and understand what's actually being said for the first time, and so, because of that, we can understand tonal changes. This isn't how Joe normally sounds, you know he doesn't. He's not this formal in his messaging. Normally, some things and some things differ.

Speaker 1: 45:58

Huh, yeah, I mean you just answered probably like my next two questions, right, I was going to go back to that email and you know ask how do you defend against it? And to you know what's a large language model? You know, because you always hear, you always hear these terms with vendors and at some point, you know, as a security professional, you kind of just gloss over it, right, you don't even, you don't even look into it anymore. But that that makes a lot of sense as to why and how abnormal is able to kind of change the email security landscape, because you're looking at the actual context of the email, with the context being the other millions of emails that are sent within the environment.

Speaker 2: 46:41

Yeah, and not only that, but because we're plugged in at that level. Let's assume you're using a Microsoft 365 account for email. You know we also support Gmail as well if you go that route. But so if you're using Google workspace for mail, but let's assume it's Microsoft 365. Because of the way you plug in using the API Microsoft's Graph API what you can then see also is all of AD.

Speaker 1: 47:08

So now I see everybody in your company.

Speaker 2: 47:11

I know what all of their titles are, I know what the work groups are, I know who's bosses who's and, and now I get this rich, the richest understanding of who you are as a person. Now, when you couple that together with all of the past emails I've ever seen you send or receive, I now have this tremendously rich understanding about who you are and how you communicate and who you do it with. So suddenly get a new message that purports to be from a friend, right, or maybe it's a vendor that you do business with, but something's amiss, right. They call you by the wrong name. It doesn't come from the right email address. It doesn't come from the right IP address or URL. Something's amiss Even if it so. With vendor email compromise, we're starting to see vendors get compromised, their email accounts get compromised, threat actors living in those email accounts for a while, understanding who folks do business with and then targeting and praying on those trusted relationships from the right message right from the right email account.

Speaker 2: 48:21

And yet we can still detect that based upon tonal changes, based upon the way we've the history of how you talk, so, and we've caught that before. It's very interesting, Hmm.

Speaker 1: 48:35

Yeah, that's really it's. It's a fascinating way to look at it, you know, like it. It makes me wonder why no one else ever thought of that before. But I mean, I guess that's a topic for another podcast. You know, where, where do you see abnormal Going in this space in the future? Right, where do you see email security going and growing in the future? You know, if you would have asked me, you know, 10 years ago, if this is where email security would have gone, you know it wouldn't have been something that crossed my mind, right? I would say it's a good idea. But I I never would have said you know, oh, yeah, like that's where it's going, yeah, so where do you think that it's going?

Speaker 2: 49:19

Yeah, I think the key is AI. Right, ai is changing everything. It's changing everything on both sides of the fence, right? So in terms of threat actors, it's leveled the playing field. It's also to allow them to scale attacks in a way we never could have envisioned before. And so I think what it takes and what you're going to see you're starting to see it now, but I think it's going to proliferate in a massive way soon which is Security solutions beginning to use AI to combat right, good AI to combat that bad AI. Because the reality is, as the threats scale up, our defenses need to scale up as well. Because we're seeing so much more throughput In terms of malicious activity, it's going to take different security solutions that are leveraging machine learning that can, that can parse through thousands and thousands, tens of thousands of signals to identify that thread of of abnormal, of abnormal, to chase that down and identify that and tell you, as an operator hey, I think we have something unusual here and it's Really based on the volume of signals that we're seeing.

Speaker 2: 50:40

It's too much for a human to probably unite that way, and so it's going to take artificial intelligence through through machine learning algorithms that can parse all that data together, just like a sim can aggregate and correlate data together from logs. We're going to need it upstream, though, right in our different security solutions. You're going to need it in your email security. You're going to need it in your EDR. You're going to need it in in in your firewalls To be able to parse through and and understand. Unite all of the disparate information together to understand what's going on.

Speaker 1: 51:17

Is there? Is there any thought around potentially creating, like a verified user, uh, you know, logo or icon? Um, you know, in an email so like, let's say, you know I'm talking to a vendor, both of us are abnormal security customers, so you would know if the person that's sending me the email is a real user, right, and you could tell if I'm a real user? Um, is there any thoughts around, you know, maybe Adding a logo to that email saying abnormal security, verified user or something like that, right, because that would that would really, I feel like, just from a, from a user perspective, you know, that adds a lot of peace of mind where it's saying like, hey, I know I'm responding to the right person in this case. Um, you, anything like that?

Speaker 2: 52:12

you know we've talked about that before. You know, uh, google just released that capability. You know the sort of the blue check mark, if you will. You know, if you go back to twitter's uh, mentality, um, you know, we've looked at that concept before. The challenge with that Is that this is that that was the concept of the sender policy framework spf Using dmark and dkim to verify the authenticity of the sender. So, so those things actually already exist and as long as we're all good corporate citizens and you have your spf set to fail and and or reject or whatever, um, you shouldn't be allowed to spoof. Traditional spoofing has kind of fallen out because most companies Do the right thing they set up their dmark, their dkm. Spf is set to reject, so if it doesn't come from the right place, it shouldn't reach you at all in the first place. That's that's sort of email security 101.

Speaker 2: 53:10

Now, if you, if you fast forward, the real challenge then becomes how hard is it to compromise an email, a cloud email account, today, right, whether it's credential stuffing using Um compromise creds that are found all over the place, uh, that because users refuse to change their passwords like, or they use weak passwords, or whether it's, uh, whether it's like a credential phishing attack and I've now collected your creds Regardless.

Speaker 2: 53:38

Let's say I have your creds Logging into your it's. It's already a done deal. If you don't have mfa enabled, right, I can just log directly into your office 365 account. Now, if you have mfa, I can still brute force it, right, I can still try and smash you at 3am with push after push after push until eventually you just accept one. And now I'm in. So Compromising a cloud email account by itself today, it's pretty trivial to do. The danger then becomes now that I'm in as you into your account. I can send messages as you, with the blue checkmark or whatever would be there. So I fear that it would give a false sense of security in the in the circumstance of an account taken.

Speaker 1: 54:28

So that's where you've got to be cautious of these days. Yeah, that makes sense. I um, somehow I didn't think of that, but it definitely makes sense. Well, mick, you know, I really appreciate you coming on. Unfortunately, I think we're at the the top of our time here, um, you know. So, before I let you go, how about you tell my audience, you know, where they can find you if they want to reach out, where they can find abnormal security, if they wanted to learn more about Abnormal?

Speaker 2: 54:56

Yeah, yeah, you guys can reach me directly at mick at abnormal security calm. That'll reach me m I c k at abnormal security calm. You can also go to abnormal security calm slash demo if you want to see how this works, because seeing it live Changes lives. I'm going to tell you that right now. And lastly, if you want to sign up for a free risk, free trial, if you want to, we can come in and do a report. You can go to abnormal security calm and uh and we'll, we'll be able to set you up there as well.

Speaker 1: 55:29

So, yeah, I think we're going to be able to do a report. You can go to abnormal security calm slash demo if you want to see how this works.