Security Unfiltered
Security Unfiltered
Preventing Bad AI: How SOC Teams Are Preventing AI-Generated Attacks
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Mick Leach is Field CISO of Abnormal Security, an AI-native email security company that uses behavioral AI to prevent business email compromise, vendor fraud, and other socially-engineered attacks. At Abnormal, he is responsible for threat hunting and analysis, engaging with customers, and is a featured speaker at global industry conferences and events. Previously, he led security operations organizations at Abnormal, Alliance Data, and Nationwide Insurance, and also spent more than 8 years serving in the US Army’s famed Cavalry Regiments. A passionate information security practitioner, Mick holds 7 SANS/GIAC certifications, coupled with 20+ years of experience in the IT and security industries. When not digging through logs or discussing operational metrics, Mick can typically be found on a soccer field, coaching one of his 13 kids.
Abnormal Security: https://abnormalsecurity.com/unfiltered
Abnormal Security provides the leading behavioral AI-based email security platform
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE
➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout
*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.
Mick Leach's Journey Into Cybersecurity
Speaker 1How's it going , everyone ? This is another security unfiltered podcast episode where today we actually talk with Mick Leach from abnormal security . Abnormal security actually sponsored this podcast and again , you know , just remind you guys , they didn't determine any questions that I can ask them or anything like that . You know , they just believe in what we're doing here at the podcast and they wanted to support the podcast and so that's how it all kind of happened , right ? So , you know , with that , let's go ahead and dive into the episode . I think you guys are going to love it All . Right , see you guys , how's it going ? Mick , it's really good to finally have you on the podcast . You know , I think this one we actually put together pretty quick . You know , most of my guests , it takes about like six months to come on . Honestly , like it's my backlog is insane , but we were able to put this thing together pretty quick and I really appreciate that Certainly , yeah .
Speaker 2Thanks for having me , joe . I really appreciate it . It's great to be on the podcast .
Speaker 1Yeah , absolutely Well , mick , you know before we dive into . You know abnormal security and everything . Why don't you tell my audience you know your background right how you got an IT ? Maybe why you got an IT ? The reason why I have all my guests start there is because you know everyone's coming at this from a different background . They're all coming at it from you know different skill sets and whatnot . And if I feel like , if they can hear , you know a matching background , a matching skill set , they can then know like hey , this thing is possible Right . Like I didn't know that this was possible at the time , but now I think I can actually do it . So what's your background ?
Speaker 2with it . Yeah Well , hopefully my story is a little bit inspiring in that case , because I did take sort of the scenic route to cybersecurity . So I joined the military , was in the army , the US army go cap scouts , so you're familiar with that . Was was a cap scout for eight and a half years with the US army and as I was getting ready to get out it became time to start figuring out what next looks like . And had been interested in computers for a long time , really enjoyed working on them , had been in my , in my unit .
Speaker 2I was early on the only guy that knew how to type . I'd taken a typing class in high school . I failed that class , by the way , was terrible at it , but still was the only guy that knew where the keys roughly were and got suckered into typing all kinds of non commission officer evaluation reports , these kinds of things . And so suddenly it became known as the computer guy in a combat arms unit . So it was . It was a little unusual there , so I get out and ended up having an opportunity right away to work with Linux . And so I was supporting custom based Linux applications , a small telecommunications company , and did that for about four years before an opportunity to join nationwide insurance , came along as a system administrator there and did a variety of different system administration things , really getting into encryption decryption of data and motion . So there was PGP , sftp , fts really encrypting and protecting data in motion and that was kind of my first foray into cybersecurity , so fast forward to about 2012 . And they were looking to start creating a security operations organization , and I was given the opportunity to join that group from the ground level and was jumped at that chance and realized this is what I was made for , you know , being able to protect with ones and zeros digitally felt so in line with my background in the military , and it really just felt like this convergence of everything I had been doing and loving for the last , you know , basically my whole life , and so I jumped at that chance .
Speaker 2Of course , nationwide at that time experienced a relatively public breach . What that meant , though , for me was that and it happened to be my first week on call as these go what that meant , though , was they opened the wallet and said how do we fix this ? We hired a lot of consultants that came in and helped us build an elaborate security operation center becoming larger than Natta Security Command Center , and I was one of the founding members of that , so learned a great deal about building and running security operation centers , had the opportunity to move from there after that was reached a steady state to a company called Alliance Data and did much the same thing for them building and optimizing a security operation center there . Did that for about four years and then knew that my next role . I wanted to make an impact at a higher level . Right , I want to move the needle on the industry .
Speaker 2Protecting one company is valuable work . Right , that's honorable work . But I wanted to be able to make that impact broader . And so that's when I knew the next move would probably be with a vendor . And I had bought and used abnormal security at my last company for about a year and loved it and added them to the list of companies that I would love to work for . And , sure enough , an opportunity came available . So I've been here . I was security hire number two at abnormal security yeah .
Speaker 2Yeah , and so my CISO . My Britain is an old friend of mine , and so getting to come in and build from scratch , really put your finger on you know your fingerprint on something from the beginning was such a great opportunity . So did that for about the last two years and have just recently about two weeks ago moved into a field CISO role where I get opportunities to talk with folks like you .
Speaker 1So you know I have a lot of questions about that journey . You know . So , when you started out with Linux , you know what was that like , because Linux is unlike anything else really , and I assume you know you're talking about the terminal side of Linux , not the fancy gooey side . You know that everyone is used to . What was your experience with that ? What was the ramp up like with that ? You know because I actually started my career with Linux and I mean it's like drinking from the fire hose on steroids . It's like wait a minute , the network stack works like this . You know , and I'm just getting out of college , I'm like wait , I just learned how to spell it . Like what are we ? What are we talking about ?
Speaker 2here . Yeah , yeah , no , it's funny . You say that I couldn't have put it better right . Drinking from a fire hose on steroids , that's absolutely what it felt like . I will tell you that on the tail end of my military career , as I knew I was getting out , I had the opportunity to go to to a Solaris course . So they sent me to a Solaris course and I'll never forget , I felt like the biggest bonehead in the room because , you know , I was half paying attention , thinking about when's lunch , and suddenly it was time for an exercise and and the first , the first step was to install Solaris .
Speaker 2And so we're working on that and and I've got the CD in and I and I could not , for the life of me , I'm hitting the button , the eject button could not figure out how to get the , the CD out , to change CDs to the next , the next run , and I couldn't figure it out . I felt like a moron . And so I I was like sorry , I'm going to have to raise my hand and just ask how do you get it to eject ? And he's like type eject . I was like no , no , no , like really , he's like seriously .
Speaker 2So that was the first time that I remembered thinking , oh , this is very different , you know , than the world that I had been raised in . At the same time as we started to get into the tech stack and we started to see how the disk was , was partitioned and and data was stored , and you had so much more granular access to where you were putting things on disk and the ability to go and see things directly on the disk , I was like , man , this is fantastic , you don't have any of this with with Microsoft , and so . So that's how I kind of got into it learn just enough to convince somebody to hire me , which was probably a mistake initially , but they gave me a chance and and I wanted to prove them right , so so did that . That was 21st century communication . So got in there and they were very patient and allowed me to make a lot of mistakes and learn a few things the hard way and a lot of things the easy way , thankfully , yeah , it's .
Speaker 1You know it's crazy when you , when you go from something like Windows it's very user friendly , you know . And then you go to Linux and you're I mean you have to like , like you said , you didn't know how to eject the desk , like on Windows . You hit the button , you know you don't type eject or anything like that , you're not clicking anything . You hit the button , you assume it's going to work , but in Linux none of those , none of those features and functionalities tie together right . You have to actually create the tie . You , if you want that button to eject , you need to write the script that says eject . When this is pushed , you know , like that's what it is , and you know . Same thing with . You know , like partitioning a disk .
Speaker 1I mean , oh my God , and I tried to do encryption at one point on Linux . I mean my brain was melted . I actually needed my VP to come over because he was the only person at the company that knew how to do the encryption and I mean I had to have him just come over and just type and I just took notes on the side , just like my brain was melted after like two hours of that troubleshooting it , not knowing you know what the hell is going on not looking at the right log files , like I was just having a terrible time .
Speaker 2Yeah , yeah , no , I agree . And so moving the good news was right . Learning with Linux early on , especially with like old school Solaris , and then moving to like red hats , is something a little better supported . You know you learned a lot of things the hard way , sort of the old school way , and while there are new , far more , you know new fangled ways of doing things . You know said knock can get you pretty far . So I kind of lean on those things from time to time . But yeah , learning from the beginning was great .
Speaker 1Do you ever , do you ever work with Linux at all , like on the side even ? You know I find it that . You know I can't stay away from it . Honestly , you know I still have a VM that's forever , you know installed with a Linux flavor . That that I like , that I prefer , which , embarrassingly , it's Ubuntu , because I like the ability to have that GUI and also be able to do things in the terminal and feel like I'm getting things done . But I use that for very like select things you know , within my home network , sure .
Speaker 2Sure , yeah , no , I absolutely it's still . It's like , it's like an old pair of comfortable shoes , right , it's still the most natural , most comfortable thing . So so I still do , just like you in my home lab , have a couple of VMs of Linux . I've got , a couple of Ubuntu versions I've got .
Lessons From Security Breach
Speaker 2Of course , you can't be a security guy without having at least one instance of Cali running all the time . Adhd , which I really like . Active harbinger , active defense , harbinger distribution really good there . So yeah , just a few different security onion . You know you've got to have a few different versions running in the background , but it's still the most comfortable for me , especially if I'm going to get into log analysis .
Speaker 2Yeah just nothing beats a great grep said AUK , you know ability to parse tons of data .
Speaker 1Yeah , yeah , absolutely . Once I learned that it was like having a superpower in Linux . It's like wait a minute , I don't have to sift through this log and search for things and all that you know . So when you , when you started at nationwide , you said the first week they got breached .
Speaker 2So it was the first week of my move into security . So I moved into a security focused role . It was the first week that I was on call and I remember joining the call and thinking , wow , this is an exciting call . And then it got very exciting and and I realized I'm in , I'm in over my head and so we had , you know , I had to call in for some help . But that being at the very front end of that and then actually seeing a large company work through a pretty large scale breach , that , that made an indelible , indelible impression on me because it taught me so much about security , the legal side of things . You know the way we we protect information , the way we share information , all right at the very beginning . So it was like a crash course and you know you , you can't pay for that kind of experience ?
Speaker 1Did they ? Did they already have a security team stood up ?
Speaker 2Yeah , yeah . So a lot of those . And that's what , as we brought consultants in , that's what we learned is that a lot of the right things were in place . You know , it wasn't a lack of skills , it wasn't a lack of people , a lack of tooling . What it really was was a lack of coordination . So we had a lot of disparate tooling , a lot of disparate capabilities spread across a very large organization , and what we learned is that we needed to better unite those capabilities in under one house , right under one floor , so that we could better communicate with one another . And that made a world of difference .
Speaker 2You know like large , any large organization there were . You know territorial things where you're like oh that's , that's my world , you got to stay out of that . You know , you got to stay out of that area , that's mine and this is our world . And now we don't touch servers , we only work in . You know endpoints and you know . So we had to break down some of those walls , deal with some of those sort of past sins and and then figure out how to better collaborate going forward .
Speaker 1Hmm , yeah , you mentioned , you know , the , the checkbook opened up , which you know , for a security person . That's like what you've been waiting for . And I went into a credit bureau right after a breach at one of our competitors and I mean , it was anything you want , like name , your number , it literally doesn't matter . We have a blank check from the CEO saying that we can do this . You know , apparently , apparently my manager this is a couple weeks before I got there , apparently , my manager actually , you know , was at the bar across the street with a bunch of the team and he was drinking a beer and he said you know what effort , you know I'm gonna , we're going to deploy this thing , we're going to buy these tools , like screw it . You know , the company is just going to figure it out . And I mean , like that was for the company , that was the best decision , because we desperately needed that technology in place before the team the team around him it was .
Speaker 1It was miserable because not only were we trying to ensure that we want to get breached , like our competitor , but now we're , you know , trying to deploy these tools at the quickest pace of these vendors had ever seen . You know , I talked with the vendor that I was in charge of their solution and I asked him you know what's the quickest deployment you've ever seen with this solution at any other customer ? And he said , oh well , I'd have to . I have to , you know , ask around and get back to you , right ? They said the quickest full deployment was 18 months . I said , okay , you know what did we do it in ? He goes you did it in six weeks . Yeah , oh , I guess that was a little quick .
Speaker 2Yeah , yeah , and I actually had a similar experience right coming here to abnormal security , where we were able to buy and build things very quickly , which was for me a whole new world , because in a massive fortune 500 , fortune 100 company , you know things move slowly and there's lots of red tape , and so you know to deploy a new sim would take 18 to 24 months , you know here , you know , three weeks , because everybody is pulling in the same direction .
Speaker 2It was a massive difference . So that's exciting , I will say .
Cybersecurity Challenges and Changing Mindsets
Speaker 2Part of the problem with the blank check , though , was that , because you know they did , they , the CEO , cfo , they all come down and say , okay , just tell me , tell me how much to write this check for us that we never have this happening . And that's where you have to have our conversations say , guys , it's , it's not how it works . Right , we can build a lot of defenses , we can better protect ourselves . We can certainly lessen both the likelihood and the impact of a compromise going forward , but to say it'll never happen again , that's , that's not something that we can do . So what we'll do is better position ourselves to lower the likelihood of it happening again , but in the event that it does and it likely will at some point but in the event that it does will lower that impact as well . So that's the key . That's what we're trying to do . It took a minute to kind of re-scope people's mentality on this .
Speaker 1Hmm , yeah , that's . That's interesting because I feel like you know executives at that level they're not , they're not used to not being able to throw money at a problem and have that problem be fully resolved . You know , that's always kind of the question and the approach that's taken . But with security it's like , yeah , we could throw $20 , $30 million into this thing , we could have the best tech stack , the best you know engineers in the country working on this thing , and we could still get breached by something that you know we didn't even know existed . You know , because that's what a zero day is . You know they could use , they could literally just use a zero day on us and get around everything that we just did .
Speaker 1You know , and I feel like it's also really important to what you did , there is , you know , explain it that way , you know , because a lot of security teams would just take that money and you know , like run for the hills basically , and that's maybe the worst case because what if you take all that money , you deploy all these tools , do all that work , you get the increased headcount and then you get breached . Well , now your job is at risk because you didn't properly , kind of prepare them . You know for that reality . And so now it looks like you're incompetent , when in all actuality you're not incompetent , you know . It's just how it works . In security , yeah yeah , absolutely .
Speaker 2It takes a while to change the mindset right . That's the big , that's the key thing , I think .
Speaker 1Yeah , that mindset is the hardest thing I feel to change . You know , right now I actually I work at a pretty large company and when you said , you know , yeah , it's going to take 1824 months to deploy this SIM , you know it took me . It took me like 12 months to get through a POC of a far smaller solution than a SIM . It's like embarrassingly slow . You know , like guys , I would have had this done in three weeks , like , come on , just let me , let me do some work .
Speaker 2Yeah , yeah , I know I'm with you , yeah . And the other thing in terms of , you know , avoiding future compromises is that , no matter how good your tech stack is , right , bad guys are always coming up with new and exciting ways of circumventing them . So you know , you look at some recent breaches that we've seen hit the news . You know they're not even targeting technical things anymore . They don't even use a zero day . Often it's not , it's not nearly that complex or technical . They just pick up the phone and call the help desk , right . It's more social engineering that we're starting to see these days , right , Because people are easier to hack than systems . It's just that simple .
Speaker 1Wasn't that the case with LastPass , the LastPass breach , where they like called up support and the support guy had enough access and they just sent him a link and he , you know , he clicked on it , like he normally would , you know , and it completely compromised LastPass as a whole .
Speaker 2Yeah , yeah , or you look at some of the recent things happening in the desert , right in Vegas , you know where they just picked up . Picked up the phone , called the help desk purported to be you know a high level security engineer and they reset his password , they reset his MFA for him , and suddenly we've given the keys to the kingdom to a bad actor . Right , it wasn't enough . They just reset his creds , but they also reset the MFA token so that he could get directly in the right way . Right , he didn't have to print anything . There was no like , there was . No , there was no link , there was no malicious activity of any kind apart from social engineering . And that's really what we're starting to see these days .
Speaker 1Yeah , it's really interesting you bring that up . You know , when earlier on in my career I did a lot of work with the government and there was a slew of documentation and background checks that I had to do and I didn't even have a TS , right Like I didn't even have Top Secret , I didn't even have Secret , you know I couldn't touch a keyboard and I still had to fill out like a 80 page document about . You know , every place that I've been since I was born who .
Speaker 1I spoke to like , yeah , all that stuff you know , and one of the things in there like a part of my training , I guess you know , I was talking to my handler and we somehow we got into this conversation . It was pretty late at night so I don't remember quite exactly what it was , but we were discussing about how people get compromised and he said , you know , from his own experience , right , he , you know , he had a sick kid with cancer . His credit card bills were very high and he was waiting on a tax return to actually pay off the credit cards . Because , you know , he's in government , he has a clearance , he has to make sure that it's low . But it wasn't anything that he did , you know , like he wasn't buying cars , he was like he was buying medicine for his kid and so the agency knew about it . You know , they , they were very understanding of it . But he said that you know , enemies will look at that and say , oh , we could cut him a check for , you know , a small amount of money 20 grand and it'll alleviate that debt and
Trust and Verification in Security
Speaker 1we'll do that . Just for a name , right , he doesn't have to tell us anything else was doing .
Speaker 1For a name they make it sound very small , very minute . Like what would you ever do with a first and a last name ? Like I'm not even giving you the title , you know , like nothing like that , and you know that's a good point , right . Like I don't know if something like that took place , but like these , these , these people out there , you know that that don't like America or don't like your company or whatever might be , they will literally , you know , pay you tens of thousands of dollars just for a name . I mean , that's a , that's an absurd topic to me , right to go down , because to me that means nothing and that's such a minute thing . I would never , personally , if I was ever confronted with that situation . I mean , now , obviously you know I wouldn't make that choice , because now I have that knowledge , but beforehand I would never , I would never second guess it . You want to give me how much for a name ? Dude , I'll give you the roster . You know , like that's where my mind would be .
Speaker 2Sure , yeah , and the thing is and while that definitely happens right , I mean , when I was in the military , that was definitely something that we talked a lot about , you know is reporting those kinds of things . We're well trained to expect and report those kinds of interactions , regardless of how innocuous they seem . You know ? You look at Tesla . A few years ago , there was an external threat actor that offered a Tesla engineer significant money to just simply produce a single file of malware and let them they'd take it from there , and it was , and he thankfully reported it . So it didn't become an issue . But more , what we're seeing , at least in my experience , is bad actors that are preying on the good nature of human beings . You know , as security people , we don't trust anybody , right ?
Speaker 1I suspect everything .
Speaker 2I'm paranoid , that's just . You know , that's how we are built . However , like Marcy , over in finance isn't built that way , right , they're just people in service roles . Their job is to help people . If you work in finance , your job is to pay bills . You know , if you work in HR , your job is to help people solve problems . And so when someone comes to you needing a bill paid or needing a problem solved , they don't typically look very deeply into those things . They just don't suspect , you know , bad motives , and so they respond to that call for help . Right , you know ? I've talked to an FBI psychologist just before who talked about the power that comes with the request for help . Right , I need your help . Those four simple words right , I need your help . Those are powerful words and they can elicit people to do things they wouldn't otherwise do or that they might be more suspicious of . But because they feel like they're helping someone , they'll do more , they'll go further and not be suspicious , not think they're doing anything wrong and yet be the source of the compromise .
Speaker 1Yeah , that's a really good point that you mentioned . You know , security professionals are some of the most paranoid people that I know . You know I feel like calling it paranoid is not doing it justice , but you get what I'm saying , you know . I'm sure all of our listeners , you know , understand that , which you know brings up a good point . You know , currently , and my current role , right , we POCed a bunch of different WAF solutions , chose one of them and my first response was hey , I want to stand up a Kelly Linux box and I want to pound this thing when we deploy it right as it's going live . As we're creating the rules , I want to make sure that these rules that they claim is working . I want to make sure that they're actually working .
Speaker 1And almost everyone in the room was like you know , you think that they wouldn't , you know , already know that this is working when they're deploying it . Like we have the vendor that created it deploying it for us . I'm like , yeah , that doesn't matter to me . You know , if we're spending this amount of money , we need to know definitively it's working . Like not know , you know , oh , yeah , I'm sure it is . You know , I configured it right . Like no , I ran the configuration issues in the POC for a reason you know , like I configured it to the best of my knowledge and it wasn't working . Yeah , you know . So what does that say about , you know , this solution ? Like I have my own thoughts on it , but obviously I want to , you know , trust but verify . And I think the only other person in the room that agreed with me was my CISO . He's like , yeah , that's exactly why you're here . Like we need someone thinking outside the box , because everyone else in this room is just going to blindly trust this vendor because they put , you know , millions of dollars into this product .
Speaker 2Yeah , I'll tell you , the military does a good job in a few areas and one of them and I'll be honest , I didn't understand the need for it then because it was not very pleasant . But when you go through the gas chamber in basic training , right , we have this CS gas . It's a tear gas , very like you know military grade of tear gas , and to give you confidence in your mask , you have to go through this gas chamber . And so you'll go through . It's very unpleasant . They give you the mask . They tell you the mask works .
Speaker 2I was initially comfortable trusting . I just I'll trust you . I don't need to go through the gas chamber for you , you know , to trust that the gas mask works . But the reality is for all of us to truly understand and appreciate that it works . You got to test it and you got to test it in the worst way , which is you go in there no mask , right , or you go in with the mask , then you take the mask off , you breathe in , you choke , you cry , right , and then you throw the mask on and realize this works . And so it was a lot about not only training how to use it , but it was also learning to trust that it works . I think that's an important lesson in terms of security tooling today as well . Right , we can trust the vendors so far , but I would encourage you and I tell that to my clients right , our customers throw everything you got at it right ? That's how you'll trust it and how we'll make sure that we're meeting your needs . So that's absolutely critical .
Speaker 1Yeah , that's a huge thing that trust would verify . You know , when you bring up the gas chamber there , it makes me remember , or recall , when people were saying that that's too cruel . Right , that's like too cruel for our soldiers to go through . It's like the very first time that they should experience CS . Gas should not be on the battlefield . They need to know one , they're not dying and two , they can get through it because they did it before .
Speaker 1All of these things are absolutely critical . It's the same thing with security or IT in general . You have to build up that resistance . You have to launch a cross-site scripting attack yourself to understand what's actually going on . When I understood what a cross-site scripting attack was , it wasn't because I read it in a book , it was because I did it and I saw oh wait , a minute , I just made this query a little bit weird and I got back three accounts when I should have got back one . Okay , now I kind of understand what's going on . Here I get the function that's going on , which I think is an interesting segue into abnormal security . So let's start with what abnormal is . What's the problem that abnormal security is trying to solve ?
Speaker 2Yeah , so abnormal security is an AI native , an AI native email security solution that uses behavioral data science to really baseline your environment and understand deviations from nor so , if you think
Emerging Threats in Email Security
Speaker 2. If you go back a little bit in history and you think about the move from antivirus to EDR , right , instead of trying to define what evil looks like and then find it based on what we know it looks like , edr changed flip tables . It changed the game entirely and said what if we don't care what evil looks like ? What if we just know your environment so well that when we see a process run and spawn another process , right , microsoft Word shouldn't probably spawn another process ? That would be incredibly unusual , at least certainly 10 years ago , maybe a little less so today , but still there are certain behaviors . Regardless of how evil gets into an environment , it sort of standardizes in what it needs to do next , and so that's how EDR changed the game . Well , abnormal came along and our founders didn't come from the email security space . They actually come from AdTech , so advertising , and they had learned a lot about machine learning and understanding behavior through machine learning algorithms , large language models , and so they were actually behavioral data scientists and started to talk to other folks in the security industry and said what is a problem that isn't solved ?
Speaker 2Well , today , and one thing kept coming up email . You know it's 2023 . At the time it was 2018 . And we're like , look , email's been around since the dawn of time in terms of the internet and networking . Why are we still talking about email security ? And the reality is because nothing had really solved it completely . You know , you think about what we used to see malicious links , malicious attachments . Those were the kind of the bread and butter of bad guys . And the reality is today , you know , bad guys aren't even using these tried and true methods . We've trained our users in all what worked then , but are now the wrong ways to think we train them . Don't click on any links , and you'll be fine . Don't open any attachments from somebody you don't recognize , and you'll be fine . Look for misspellings or bad grammar , and that's how you know you found the bad guy . Right , that's a phishing email . Look , the reality is bad guys have departed from those tried and true methods in favor of more advanced attacks .
Speaker 2Right , first , it started with Grammarly long before generative AI was a thing . Right , ai , ml , nlp , these things they've all been around a good long time , but the transition into AI that generated net new content . That is a relatively new concept . Right , chatgpt was released almost a year ago today , right November 30th , I think 2022 kind of changed . But even before that they were using Grammarly to improve and so . But now , with the advent of ChatGPT and Bard and other generative AI solutions , we're seeing threat actors that couldn't formulate a coherent English sentence two weeks ago can now write a very they can craft a very good , realistic phishing message , probably better than my 10th grade English teacher , mrs Fox , I mean , and that's saying something . So that's what we're seeing is things are leveling . Generative AI , ai in general , has leveled the playing field for bad actors .
Speaker 1Hmm , yeah , you bring up a very valid point . Is that email security really hadn't changed in , I mean , a decade ? You know , like it's kind of the same exact thing , like oh , this is how you train your users on email security . These are the rules that you configure . You know , like it's such an antiquated method it would never keep up , you know , in modern day . You know security , yeah .
Speaker 2Yeah , and so , at my last , my last job , you know , I just had never seen a good solution to an email that simply said hey , bill , it's Bob , give me a call when you get a minute , because that's what we're seeing today . Right , bad actors , it starts with a conversation . Right , if they can , the social engineering attempts that we're seeing today , really just seek to start a conversation and carry it from there . Business email compromise is the number one , you know , at least in terms of financial impact , the number one security threat for the last three or four years running , according to the FBI's ICEN 3 report .
Speaker 2So , you know , this is what we're seeing . And so when I and I remember thinking at my last company , I had all the right tools , had a wonderful tech stack , I'd spent three years building with my leadership , flipped it over entirely , had upper right quadrant stuff across the board , it was the tech stack of my dreams .
Speaker 2And yet there were still things slipping through and so we needed to think about things differently . Right , you look at the way email security has traditionally been you set a secure email gateway on the perimeter of your environment to protect you . That's great . It's largely looking for again defined evil . Right , it knows malicious IPs , malicious URLs , malicious attachments , but if those things aren't present and if DMARC , dkms , pf all check out , it's going to deliver that message regardless of what it says , because it couldn't really look into the body of the message .
Speaker 2And then I took a meeting with Abnormal's founder and he explained Zanjay . He explained that Abnormal was fundamentally different . Rather than trying to sit on the perimeter and guard things and evaluate them as they pass , it would sit outside as a SaaS solution . It would sit outside your network entirely and make API calls directly into your email tenant , evaluate every message , including those that are that east-west traffic that nothing else could see . Right , 70% of all email traffic is internal and so tags are blind to that . And so , hearing all of this , I said , okay , that's great . I mean , how long is this going to take to install ? This is going to take months . You know , I was a Fortune 500 bank . I mean , I couldn't do anything in weeks , let alone months , sending up the infrastructure . It's going to be a nightmare . And he said no , no , no , no , no , that's not how it works , it's all going to just take minutes . It takes three clicks and because it sits outside , you don't have to change your mail flow , you don't have to make MX record changes , right , all you do is give it the creds and we're off and running . And I said , okay , we'll see . And sure enough we did . We set it up as a POC and I got a report the next day and I'll never forget looking at that report , thinking wait , wait , wait , wait . Let me just understand . All this is slipping through my tech stack right now . And he said , yeah , and listen , we want to , we want to call your attention to one message in particular . This one here . This is your HR business partner corresponding in real time right now with a threat actor . And I went no , no , no , no , oh my gosh . And sure enough it was .
Speaker 2That particular one was a direct deposit fraud case where they were trying to convince our HR person that one of our internal users was trying to change their direct deposit . They were on vacation and , to be fair , the threat actor had done their homework . They used the world's greatest hacking tool , linkedin , found someone with a high you know big title and probably a lot of money , went cross-referenced that with Facebook , saw that they were posting pictures from Cabo and realized this person's on vacation . They created a Gmail account . That was the user's first name , dot . Last name , addgmailcom it was an unusual name and it looked very legit .
Speaker 2And from that email sent a note to our HR business partner and said hey , I just I'm on vacation . That's why I'm emailing you for my Gmail account . I don't have access to my corporate account right now . I just realized we changed banks before we went on vacation . But this is really important . I need you know we're on vacation . I need my next check to come to the right bank . Can you take my direct deposit information ? And she was like no , you didn't fill out the right form . It's attached for your convenience and wouldn't you know it ? Threat actor fills it out , probably better than any employee ever would , and she was getting ready to make those changes when we caught it . So , as I say , it didn't take much more to convince me we found the right .
Speaker 1So you know what I hear a lot of the times . You know everyone's using Microsoft Office . You know 0365 , right , everyone kind of thinks that Microsoft has this stuff . You know kind of locked down that it's , you know , not going to really get through . You can get by with their default settings . You know what I mean . How do you break that mold ? You know ? Do you break it by showing them ? Because I'll tell you right now . Actually , you know , we looked at abnormal internally , right , and it was that exact same mentality . It was like we already have Microsoft . Like what are they going to provide that Microsoft isn't ? And then when we talked to Microsoft and Microsoft referred abnormal security and we're like , oh , wait a minute , like Microsoft provides similar things and they still refer to us to abnormal , you know . So , like , how do you break down those boundaries ?
Speaker 2Yeah , I think the key thing is to understand the differences . Right ? Microsoft , to be fair , very good , right ? If you've got an E5 license and you've got all of this spam stuff turned on , you've got they do a great job with defined evil . Right ? If they know that this is a known malicious IP address , a known malicious sender URL , if you know they can look at how recently the URL was stood up , they can do lots of things on the front end .
Speaker 2However , where they admit right to their own . You know , as they brought you guys , you know they told you guys to look at us . You know they're admitting that there are still things that they don't do well , and one of those is identifying malicious activity without a link , an attachment , without any known evil , and that's where we come in . We're using those large language models , we're using behavioral data science to baseline your entire environment . So what I say , what I mean when I say that , is that you know when let's go back to that that added you a moment ago hey , bill , it's Bob , give me a call when you get a minute right , the things that we may know . Having lived in your email environment for a while , we know that Bill actually goes by William right .
Speaker 2Bob knows that , and so for the first time ever , bob calls him Bill instead of William . Even though they've been friends for a long time , they've traded thousands of email messages , he's never called him Bill . Well , that's unusual , right . And then it comes from a place that we just don't expect , right , where the timing is off . You know , there are certain things tonally , by using , by evaluating the content of the message , using natural language , processing large language models , what we can do is understand , break , parse out the message itself , the message body , and understand what's actually being said for the first time , and so , because of that , we can understand tonal changes . This isn't how Joe normally sounds , you know he doesn't . He's not this formal in his messaging . Normally , some things and some things differ .
Speaker 1Huh , yeah , I mean you just answered probably like my next two questions , right , I was going to go back to that email and you know ask how do you defend against it ? And to you know what's a large language model ? You know , because you always hear , you always hear these terms with vendors and at some point , you know , as a security professional , you kind of just gloss over it , right , you don't even , you don't even look into it anymore . But that that makes a lot of sense as to why and how abnormal is able to kind of change the email security landscape , because you're looking at the actual context of the email , with the context being the other millions of emails that are sent within the environment .
Speaker 2Yeah , and not only that , but because we're plugged in at that level . Let's assume you're using a Microsoft 365 account for email . You know we also support Gmail as well if you go that route . But so if you're using Google workspace for mail , but let's assume it's Microsoft 365 . Because of the way you plug in using the API Microsoft's Graph API what you can then see also is all of AD .
Speaker 1So now I see everybody in your company .
Speaker 2I know what all of their titles are , I know what the work groups are , I know who's bosses who's and , and now I get this rich , the richest understanding of who you are as a person . Now , when you couple that together with all of the past emails I've ever seen you send or receive , I now have this tremendously rich understanding about who you are and how you communicate and who you do it with . So suddenly get a new message that purports to be from a friend , right , or maybe it's a vendor that you do business with , but something's amiss , right . They call you by the wrong name . It doesn't come from the right email address . It doesn't come from the right IP address or URL . Something's amiss Even if it so . With vendor email compromise , we're starting to see vendors get compromised , their email accounts get compromised , threat actors living in those email accounts for a while , understanding who folks do business with and then targeting and praying on those trusted relationships from the right message right from the right email account .
Speaker 2And yet we can still detect that based upon tonal changes , based upon the way we've the history of how you talk , so , and we've caught that before . It's very interesting , Hmm .
Speaker 1Yeah , that's really it's . It's a fascinating way to look at it , you know , like it . It makes me wonder why no one else ever thought of that before . But I mean , I guess that's a topic for another podcast .
The Future of Email Security
Speaker 1You know , where , where do you see abnormal Going in this space in the future ? Right , where do you see email security going and growing in the future ? You know , if you would have asked me , you know , 10 years ago , if this is where email security would have gone , you know it wouldn't have been something that crossed my mind , right ? I would say it's a good idea . But I I never would have said you know , oh , yeah , like that's where it's going , yeah , so where do you think that it's going ?
Speaker 2Yeah , I think the key is AI . Right , ai is changing everything . It's changing everything on both sides of the fence , right ? So in terms of threat actors , it's leveled the playing field . It's also to allow them to scale attacks in a way we never could have envisioned before . And so I think what it takes and what you're going to see you're starting to see it now , but I think it's going to proliferate in a massive way soon which is Security solutions beginning to use AI to combat right , good AI to combat that bad AI . Because the reality is , as the threats scale up , our defenses need to scale up as well . Because we're seeing so much more throughput In terms of malicious activity , it's going to take different security solutions that are leveraging machine learning that can , that can parse through thousands and thousands , tens of thousands of signals to identify that thread of of abnormal , of abnormal , to chase that down and identify that and tell you , as an operator hey , I think we have something unusual here and it's Really based on the volume of signals that we're seeing .
Speaker 2It's too much for a human to probably unite that way , and so it's going to take artificial intelligence through through machine learning algorithms that can parse all that data together , just like a sim can aggregate and correlate data together from logs . We're going to need it upstream , though , right in our different security solutions . You're going to need it in your email security . You're going to need it in your EDR . You're going to need it in in in your firewalls To be able to parse through and and understand . Unite all of the disparate information together to understand what's going on .
Speaker 1Is there ? Is there any thought around potentially creating , like a verified user , uh , you know , logo or icon ? Um , you know , in an email so like , let's say , you know I'm talking to a vendor , both of us are abnormal security customers , so you would know if the person that's sending me the email is a real user , right , and you could tell if I'm a real user ? Um , is there any thoughts around , you know , maybe Adding a logo to that email saying abnormal security , verified user or something like that , right , because that would that would really , I feel like , just from a , from a user perspective , you know , that adds a lot of peace of mind where it's saying like , hey , I know I'm responding to the right person in this case . Um , you , anything like that ?
Speaker 2you know we've talked about that before . You know , uh , google just released that capability . You know the sort of the blue check mark , if you will . You know , if you go back to twitter's uh , mentality , um , you know , we've looked at that concept before . The challenge with that Is that this is that that was the concept of the sender policy framework spf Using dmark and dkim to verify the authenticity of the sender . So , so those things actually already exist and as long as we're all good corporate citizens and you have your spf set to fail and and or reject or whatever , um , you shouldn't be allowed to spoof . Traditional spoofing has kind of fallen out because most companies Do the right thing they set up their dmark , their dkm . Spf is set to reject , so if it doesn't come from the right place , it shouldn't reach you at all in the first place . That's that's sort of email security 101 .
Speaker 2Now , if you , if you fast forward , the real challenge then becomes how hard is it to compromise an email , a cloud email account , today , right , whether it's credential stuffing using Um compromise creds that are found all over the place , uh , that because users refuse to change their passwords like , or they use weak passwords , or whether it's , uh , whether it's like a credential phishing attack and I've now collected your creds Regardless .
Speaker 2Let's say I have your creds Logging into your it's . It's already a done deal . If you don't have mfa enabled , right , I can just log directly into your office 365 account . Now , if you have mfa , I can still brute force it , right , I can still try and smash you at 3am with push after push after push until eventually you just accept one . And now I'm in . So Compromising a cloud email account by itself today , it's pretty trivial to do . The danger then becomes now that I'm in as you into your account . I can send messages as you , with the blue checkmark or whatever would be there . So I fear that it would give a false sense of security in the in the circumstance of an account taken .
Speaker 1So that's where you've got to be cautious of these days . Yeah , that makes sense . I um , somehow I didn't think of that , but it definitely makes sense . Well , mick , you know , I really appreciate you coming
How to Find Abnormal Security
Speaker 1on . Unfortunately , I think we're at the the top of our time here , um , you know . So , before I let you go , how about you tell my audience , you know , where they can find you if they want to reach out , where they can find abnormal security , if they wanted to learn more about Abnormal ?
Speaker 2Yeah , yeah , you guys can reach me directly at mick at abnormal security calm . That'll reach me m I c k at abnormal security calm . You can also go to abnormal security calm slash demo if you want to see how this works , because seeing it live Changes lives . I'm going to tell you that right now . And lastly , if you want to sign up for a free risk , free trial , if you want to , we can come in and do a report . You can go to abnormal security calm and uh and we'll , we'll be able to set you up there as well .
Speaker 1So , yeah , I think we're going to be able to do a report . You can go to abnormal security calm slash demo if you want to see how this works .
