This is Not a Phishing Email

Welcome back to The Innovation Armory. Today’s piece is on the rising prevalence of phishing breaches through COVID-19 and its implications for cybersecurity innovation. I speak with Eyal Benishti (CEO of IRONSCALES) and discuss what differentiates cybersecurity innovation and AI-based business models vs. traditional enterprise technology businesses. Please enjoy and happy holidays!

My next piece will be on the dark side of innovation: how technology has accelerated the use of misinformation campaigns and the role it must play in the solution going forward.

Phishing attacks have been dramatically on the rise in recent years, accelerated even further during COVID-19. Gmail alone now blocks 100M+ phishing emails per day, with 18% of those uniquely capitalizing on emotions related to the COVID-19 pandemic. The degree of sophistication of these attacks has also been increasing. Most are familiar with traditional attack schemes, like emails of a purported banished Nigerian prince soliciting funds. There are some pretty amazing internet memes on this topic. Like this one that hopefully doesn’t apply to your own grandma:

The surge of attacks related to COVID-19 are more sinister in nature. For example, there are documented attacks of seemingly reputable organizations reaching out with the opportunity to buy scarce medical supplies, donate to essential worker funds pools and impersonating government health organizations and even the WHO. The pandemic is a very sensitive time as the world deals with a flurry of emotions, including grief over the loss of loved ones, empowerment to help one’s community and fear of contracting the virus. Phishers are capitalizing on these powerful emotions at breakneck speed as internet users are at their most vulnerable. Phishing related sites have generally been on the rise since 2017 and there has been a large spike correlated with the start of the pandemic in 1H 2020:

Why is phishing becoming even more effective during the pandemic?

1. Targets Weakest Link of Security Stack - phishing is the type of threat that regardless of the amount of technical innovation, an organization’s defense is only as strong as the weakest link in the security stack of the organization. Cybersecurity networks are a sophisticated web of device management, web filtering, firewall, anti-malware and other protection solutions. Importantly, humans are also a part of this cybersecurity network and represent the “last mile” of defense vs. a potentially threatening link that  could compromise an organization’s network security. Unfortunately, because phishing attempts leverage social engineering and emotional hacking methods, humans are almost always the weakest link in an organization’s security stack.

2. Psychological Constraints - in addition to the emotional phenomena discussed above specific to the pandemic, I think there are two other key psychological elements at play that make phishing so destructive. First, as the job market has tightened during the pandemic, many organizations are applying more pressure for employees to be increasingly productive at work. Mailboxes are becoming more cluttered and getting through email increasingly feels like a chore and a constraint to productivity. As of the end of 2019, less than 50% of working Americans could get to “zero inbox” by the end of each workday. Increasing productivity demand and not enough time to get through email yield a disastrous combination of scrutinizing each email less, allowing more phishing links to slip through the cracks. Second, people’s daily lives during the pandemic are more boring generally because there are constraints on the normal activities they would otherwise do with family and friends. Phishing links capitalize on curiosity and intrigue to drive a higher click-through-rate during this relatively humdrum time in our lives. In a phishing study conducted where email participants received a link to a New Year’s Eve photo album the sender claimed they were in, over 33% of participants clicked the link out of curiosity knowing they did not even attend the New Year’s party. In circumstances driven by curiosity there is a large disconnect with the organization where the employee doesn’t fully appreciate the magnitude of the potential threat from clicking a malicious link.

3. Rapid Digitalization - for remote professions, 100% of the workday is conducted online now and most professions have experienced a rapid acceleration towards digitalization. More time spent online equates to more opportunities for employees to be phished. Further, jobs within an organization that previously were not online, are now forced to be, which introduces a less technologically sophisticated segment of the workforce to potential phishing schemes. Further, as employees work from home, they increasingly conduct a mixture of personal and professional activities on their work devices. This mixture of work and personal activities expands the scope of links employees are willing to click on work devices. Further, when conducting personal activities, their guard against phishing is most likely lower than it otherwise would be in a pure work environment.

I caught up with Eyal Benishti, CEO of IRONSCALES, to hear his perspective on the rise of phishing amidst COVID-19 and how artificial intelligence powered software solutions can help address this growing problem. IRONSCALES is a leading email security platform that helps detect, respond and block nefarious links from reaching corporate inboxes with the help of AI. Relative to other businesses in the anti-phishing / email security space, IRONSCALES leverages an organization’s own employees to tag certain malicious links, senders, emails and sites as phishing attempts to both remediate phishing threats in real-time and to provide the data inputs to improve their machine learning algorithms that will then more effectively block future tailored attack attempts. Of course, there will always be employees who accidentally click links they should not. However, for employees that are discerning at identifying phishing attempts, organizations ought to actively include them in their security strategy instead of viewing them solely as a potential security liability. This approach effectively transforms discerning employees in an organization from the potential weak link in a security stack into shredded security guards who are actively and efficiently contributing to the defense of their own networks:

My Conversation with Eyal Benishti (CEO of IRONSCALES)

SN: Could you comment on the different types of attacks you see on the rise and what makes phishing so difficult for organizations to deal with? What are the differentiated challenges of dealing with phishing vs. other types of cyber targeting?

EB: If you look at phishing or other types of social engineering, it is a unique type of cybersecurity attack because it is not attacking machines or servers, but rather attacking humans. If you look at recent phishing attacks, you see more businesses being compromised and more impersonations, less of attachment of malicious payloads to links. The attacks are designed to incentivize humans to do something they are not supposed to do. Some solutions for phishing have focused on gateways and signatures trying to detect bad IP, bad actors and filter links by keywords. However, these traditional methods fail because phishing unlike other attack vectors put humans at the center. The next innovation after filtering was focused on training. The idea was that if we know the technical gateway will fail sometimes, let’s train humans to be smarter about choosing to not engage with phishing links. This acknowledged the fact that humans must be an active layer in defending the organization.

SN: You mentioned the first and second phases of innovation against phishing, what phase would you say we are in right now that IRONSCALES is playing a role in?

EB: I think we are far past the first generation. Phishing awareness and training tools were created 12-13 years ago and were the plain vanilla solution to the post-delivery phase. Pre-delivery emphasis means focusing on trying to filter out bad links before they are placed in an employee’s inbox. IRONSCALES believes that employee awareness is not a standalone solution. We have focused on building solutions that enable the employee to be more actively involved and have a better effect on what the organization can remediate. Employees must report back to their teams to give their organization the knowledge and tools to improve their filtering and response. There always will be some employees that click bad links, but it is about incentivizing those who do react fast and effectively to report links to system administrators to prevent a system intrusion.  Within 82 seconds of receiving a phishing link, your first organizational user will normally click on it. After about 5 minutes, 80% of those who would normally click, likely will. The third generation of email security innovation uses employees as an active sensor to drive remediation of these issues.

SN: Through COVID-19 and increasing digitization of traditionally offline businesses, have you seen a surge in phishing attacks and a more frequent cadence?

ED: Yes, we have seen more than a 600% increase since COVID-19 started. These phishers are seasonal and will take advantage of specific situations to generate income. In a much more organized manner, we have seen cyber-criminals jumping in and immediately creating tailored campaigns, for example around whether virus tests have come back positive or negative. It was getting to the point that we added a tool to our software to new COVID-19 specific reporting functionality. Cybercriminals have used this as an opportunity to drive higher click rates as more people are online more frequently throughout the day. Email phishing has been morphing at scale. You have 4 million new phishing attempts everyday and each day they get greater, smarter and better.

SN: What has actually been spent on anti-phishing technology as rates have been increasing? What does IT spend look like across the sector from SMB vs. enterprise and private vs. government / public? Are any of these segments stuck in phase 1 or phase 2 of innovation?

ED: From a private sector perspective, Financial services, healthcare, education and government have been spending more. We are seeing companies spend more on securing their employees that are now working remotely. We do see more and more companies that are forward thinking that are investing in newer solutions and giving up generation 1 and 2 solutions especially those that are moving from on-premise to the cloud for those businesses on the SMB side. We see opportunity across a variety of different segments because no one is immune from phishing. The need is there for the government but the sales cycle is a lot longer. Technically, they have more pre-existing security controls in place and have a false sense of security because they have invested in many things like malware protection and threat intelligence, but don’t necessarily recognize that their stack is legacy and further don’t appreciate the modern nature of newer threats as these phishing campaigns morph.

SN: Do you see phishing happening in other areas that are important to enterprise communication like Slack, instant messaging channels, etc.? Do you view expansion to other communication vectors as important?

ED: I don’t see Slack, Teams and other communication tools as a large threat because they are used often for internal collaboration. They are more secure by design vs. e-mail where anyone can craft and send an email. 96% of phishing attacks are through e-mail vs. other communication vectors. As we see phishing move to other vectors over the long-term, we do need to be ready though to mobilize to protect those channels. The #1 vehicle out there will be email for a while.

SN: How do you think about how anti-phishing technologies play into broader cybersecurity platforms? For Ironscales, do you plan to expand beyond phishing organically or through acquisition? In 10 years time, will anti-phishing platforms need to compete on multiple cyber vectors to remain differentiated?

ED: I’m going to use autonomous vehicles as an example here to illustrate my point.  You can’t take the same AI algorithms you use in other areas to train an autonomous car. I think you will see more and more researchers and companies applying their research to specific problems but there simultaneously being a need for greater orchestration solutions so these point solutions can communicate with one another. I think the innovation will happen on a vertical basis within endpoint, web, email and other layers of the security stack.  Each specific application must remain best-in-class because of the nature of cybersecurity. In this space, it is very difficult to build something that is the “jack of all trades”. For IRONSCALES, we always want to be the best cybersecurity solution to detect that something is not normal in someone’s mailbox. I foresee our solution eventually signaling to higher-order orchestration tools that they need to trigger a chain of events like lock down a specific IP or quarantine specific endpoints. The orchestration is a result of the aggregate of signals from best-in-class security technology. You do see some other players trying to grow cybersecurity platforms across vertical applications, but it is generally through acquisition (vs. organically)  because each solution is like a full new company in terms of product complexity. I believe the best thing for us as cyber defenders is that we have great companies solving very specific problems with the broader platforms being orchestration solutions that sit on top of these niche solutions. Some forward thinking companies we work with correlate our signal and leverage our APIs to interface with their other security solutions to drive a more holistic security umbrella.

Data Efficiency in Artificial Intelligence Business Models

My conversation with Eyal got me thinking about the types of AI-based business models that can scale efficiently with strong gross profit margins. Relative to traditional enterprise software businesses, many AI businesses tend to record lower gross margins due to a couple of factors:

1. Human Involvement - artificial intelligence models still require human input to manually tag and transform large datasets. This can be a very time-consuming process. While these human costs don’t necessarily scale linearly (as the AI self-improves over time), they are material and are often born by the company developing the AI model.

2. Long Tail Use Cases - artificial intelligence algorithms are often used in highly complex and predictive situations, which is why self-learning and self-improvement are needed to adequately address these enterprise problems. AI models thrive where enterprises face highly idiosyncratic, dynamic problems that require tailorization and continuous improvement. Because the inputs that feed these models and use cases can be so specific to organizations, the models and products created are not necessarily as portable across companies, which may require more bespoke variable development work as new customers are onboarded.

IRONSCALES highlights two interesting features for AI businesses to think about as they scale to address these issues and drive margin expansion over time:

1. Outsourcing Data Tagging - IRONSCALES outsources the tagging of data that feeds its filtering and remediation algorithms to employees, shifting these data cleansing costs from the company’s income statement to the client. In the case of phishing, it is preferable for the client that their employees help with the data tagging that feeds the AI filtering algorithms for a number of reasons. First, employees are already monitoring their email so there is little to no productivity impact or financial cost to the employer of the employee tagging and coding an email. Second and more saliently, attack remediation can occur faster since employees can respond to their inboxes faster in real-time than outsourced data employees. Third, employees have more institutional and industry-specific knowledge and are able to limit the number of false positives that are reported back to the algorithm. This is important because there is also a cost to the organization of filtering out non-malicious emails that employees proactively need to address for purposes of their work. 

2. Prioritize Use Cases That Productize Industry - the inputs that drive an AI-powered anti-phishing model will vary between clients but these variations should largely correlate with the sector / sub-industry of the client. For example, for two companies in the retail space, common phishing attempts might include a link to a fake purchase order invoice or a referral to a malicious vendor source. In the case of IRONSCALES, these tagged phishing attempts are the main data inputs that drive the AI model. However, for other AI use cases, the data input spread will be much wider for companies that may even be in the same sub-industry. For example, if the AI use case is the prediction of demand for long-sleeved shirts for a retailer, the data inputs could include color, in-stock availability, geographic footprint of storefront, design differences and more. These will all vary dramatically between retailers. In situations where there is less data input difference within client clusters, there will be less bespoke development required and it will be easier to productize a use case across a wider base of common users, while minimizing incremental software research and development required for each new client.

The Nuances of Cybersecurity Innovation

Eyal mentioned that he believes innovation within cybersecurity must happen on a niche and vertical level (point solutions) vs. one company offering and maintaining a broad portfolio of cybersecurity software assets. At first, this seems counterintuitive when comparing cybersecurity to other traditional enterprise software segments where there are numerous benefits to offering various point solutions through one platform including a) enhancing customer loyalty through use of multiple of your products and b) maintaining a more efficient organization as salaried employees can work across products.

However, digging deeper, a plausible explanation here comes down to two factors: the nature of competition and the asymmetry of product failure that are unique to cybersecurity.

1. Nature of Competition - within traditional enterprise software, businesses are competing solely against other vendors. Within cybersecurity, businesses compete against industry peers but also more importantly against the cyber-criminals that are trying to breach clients’ security networks. Therefore, product investment into innovation must exceed both the cumulative investment of your peers and of cyber-criminals to remain competitive. The best cybersecurity companies need to play double defense to maintain dual moats against industry peers and cybercriminals. Cybercriminal groups nowadays don’t merely consist of lonewolf hackers but are often structured into organized cybercrime syndicates that can make billions of dollars every year. They are incentivized financially to invest in their own development resources to stay ahead of advances in cybersecurity and to maintain their anonymity. Further as new devices are released and new software becomes popular, the number of potential bugs and network loopholes increases almost exponentially. Because cybersecurity businesses are constantly competing with an extra set of stakeholders (who potentially have even more to lose financially), the pace of product innovation requires product investment doesn’t slow in the same way it may for other more mature enterprise software businesses once they have established a large market position.

1. Asymmetry of Product Failure - Sophisticated cybersecurity software seeks to protect businesses from the devastating consequences of the long tail of breaches. The average cost of a normal data breach for a business today is around $4 million, with mega-breaches of larger businesses creating up to a $390+ million liability. Because of the massively high stakes of a mega-breach, these products need to be near perfect to avoid liability to their clients. Even a 0.0001% breach, if it occurs, could cost hundreds of millions of dollars. Near perfect isn’t good enough in this industry given how asymmetrically high the costs can be of product failure relative to other types of enterprise software. There is a common statement in the startup world that new innovations should aim to deliver a 10x better experience to get customers to move and counter-act switching costs of more mature, less robust solutions. However, the normal frictions of traditional switching costs are less applicable in a cybersecurity setting where they pale in comparison to the potential costs of a mega-breach.

Both of these factors force cybersecurity companies to invest meaningfully more and faster in product innovation because the use case they are solving (hacks from cybercriminals) is dynamic and constantly evolving. Companies that offer numerous products across different industries / sub-specialties need to make portfolio-wide decisions that efficiently allocate resources across their product suite so that each product is good enough, but the overall bundle is great vs. competitors. It is tough (but not impossible) to manage a portfolio though and have each application be absolutely best-in-class. Customers will sometimes choose platform solutions over point solutions because of the benefits of having all of your applications integrated. It is less common for these integration benefits to outweigh the potential costs in the cybersecurity realm because clients want each application to be best-in-class due to the zero sum liability potential of a breach. For a global enterprise, to choose a solid platform over the best point solution, these benefits need to outweigh the potential long-tail metaphorical bomb of a mega-breach on an organization:

Therefore, I believe one of the best opportunities to build the largest businesses in cybersecurity focuses on application orchestration, namely ensuring that an organization’s best-in-class point solutions collaborate with one another to automatically identify, remediate and preemptively address potential breaches. Orchestration solutions sit on top of point solutions effectively as a metaphorical orchestra conductor that analyzes the signals and leverages specific workflows from each application to best handle each unique cybersecurity situation. 

As organized cybercrime grows and gets smarter, enterprises will continue to invest in best-in-class point solutions like anti-phishing technology, while integrating their applications through orchestration network webs.

All Innovation Armory publications and the views and opinions expressed at, or through, this site belong solely to the blog owner and do not represent those of people, employers, institutions or organizations that the owner may or may not be associated with in a professional or personal capacity. All liability with respect to the actions taken or not taken based on the contents of this site are hereby expressly disclaimed. These publications are the blog owners’ personal opinions and are not meant to be relied upon as a basis for investment decisions.