On Tuesday December 10, we will be talking with John Gunn (CEO at Token) about securing user identities. You can attend the webinar with us – How to Unlock the Future of Identity Security by Stopping Phishing and Ransomware.

The key topics for our conversation include:

• Identity Security in Crisis: 79% of organizations have suffered from identity attacks in the last year. Discover why traditional MFA is no longer enough to stop phishing and ransomware.
• Phishing-Resistant MFA: Learn about cutting-edge innovations like biometric and hardware token-based MFA that block even the most sophisticated attacks.
• Real-World Solutions: Practical steps for upgrading your identity security, stopping account takeovers, and ensuring compliance with the latest standards.

We hope to see you on Tuesday December 10.

It deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

One of the common recommendations in security awareness training for identifying phishing emails is to check that email addresses and domain names are correct. So microsoft.com is that, and not some close derivative (like microsott.com or M1CROSOFT.COM) and it’s actually paypal.com not paypa1.com. Small changes in email addresses and domain names can signal big trouble ahead (e.g., BEC incidents that result in paying the wrong person), and it takes a snazzy piece of brainwork to consistently identify those subtle changes. Slow down, read the address carefully, and then proceed with caution. That’s the general advice.

While snazzy brainwork is helpful in detecting new cyberattacks, the way our brains work can undermine the very outcomes we’re trying to achieve. As with the headline for this post, many of you can quickly read what’s written, and while the first couple of words may take a millisecond longer than normal to get, the subsequent ones get progressively easier. Optical illusions provide a second category of examples where what looks reasonable on first glance becomes more complicated on the second.

Hence, with respect to security awareness training, the advice to check the email address and domain name is sound but flawed. We would want someone to see that memcosoff.com was not microsoft.com, but we should not be surprised when people miss the difference between slight variations. Yes, the differences between paypal and paypa1 may be clear and obvious in retrospect, but to write people off due to missing the differences when their brain actually creates the signals it expects to see is disingenuous.

We’re a great advocate for email security solutions that use anomaly detection (and similar techniques) to do the heavy lifting in identifying subtle changes in email addresses and domain names. Textual analysis for near-matches, unusual patterns in combining sender names with email addresses, and the like provide a level of machine-precision that brains can’t match (and that’s okay, since brains are good at other things). Asking your people to check these details is fine, but don’t do so without using the best of what’s now available to detect, highlight, and remediate cyberattacks predicated on subtle differences that brains will often miss.

Next week on Thursday October 17, we will be talking with Brian Contos (Chief Strategy Officer at Sevco) about SOC efficiency research. You can attend the live webinar with us – Overwhelmed With Alerts? Best Practices for Improving SOC Efficiency and Effectiveness

The key topics for our conversation are:

• Addressing the growth of backlogged alerts
• Trends impacting the SOC over the next 24 months
• Insufficient visibility into current and emerging threats across many systems
• Strategies to drive more proactive approach to security threats

As background, we had a briefing with Sevco in August. There were several highlights for us from that conversation related to making the SOC more efficient:

• Sevco’s emphasis on aggregating data signals from many different sources. Leveraging what exists via collection agents to pull everything together and provide the data for making decisions is a very clever play.
• Sevco’s ability to empower the SOC to make decisions on escalations, policies, and procedures. Integration of everything for a comprehensive inventory means the SOC can minimize time spent doing data collection and triangulation, and instead use what Sevco makes available for such processes.

Hope you can join us next Thursday.

Our latest research agenda program fits in the latter category. When we were looking at possibilities for 2024, a client suggested:

Something around how the security industry is evolving to make the SOC more efficient and reduce stress and burnout would be good. For example, the H/M/L prioritization of alerts didn’t really do much. What are vendors doing that works, and what doesn’t work? (There could be a little AI in here, but it would be good to go beyond that.)

That nudge (thanks, Bob!) became the origin point for our latest report, Making the SOC More Efficient (available on the main Osterman Research site). It’s a long paper (26 pages) that attempts to deal thoughtfully and in-depth with the topic, exploring the data points we captured through the survey and advocating a way forward. There is more than “a little AI” in the report, though, as this has become both the greatest threat (82.4% of security leaders said that “the use of AI by cyberthreat actors in cyberattacks” was “very impactful” or “extremely impactful” – the highest-rated trend in this research) and one of the greatest tools for defenders (via the rise of AI-enabled cybersecurity solutions).

Some of the key takeaways from the research:

• Current SOC approaches have hit the wall
  Confidence in the ability of the SOC to protect against the threats detected by their security tools has dramatically increased during the past two years, but this increase in confidence is expected to rapidly crater. The innovations that drove increased SOC performance over the past two years do not contain the necessary ingredients to continue driving performance over the next two.
• Specialized threat intelligence to eliminate false positives, AI for behavioral analysis, and autonomous remediation seen as top innovations
  The three innovations seen as most likely to drive SOC efficiency and reduce stress and burnout among SOC analysts are the use of specialized threat intelligence to eliminate false positives; using AI for behavioral analysis in investigating alerts and autonomously creating or updating detection rules; and autonomously remediating incidents without SOC analyst intervention. Almost half of respondents gave two AI-powered defensive innovations the highest rating.
• New innovations improve SOC metrics by a composite average of 35%
  All organizations in this research are already experimenting with at least one new approach to improving the efficiency of their SOC. The most impactful innovations on key SOC metrics (time to begin working on an issue, time to close an incident, and number of false positives) are AI behavior analysis with autonomous rule creation/updating, AI behavioral modeling for detecting baseline deviations, and autonomous remediation of incidents.

If SOC efficiency is in your wheelhouse, we’d love you to get a copy.

This program was sponsored by Dropzone AI, HYAS Infosec, Radiant Security, and Sevco Security.

This is the eleventh year that Scale has produced this research (in collaboration with Everclear Marketing, we’ve helped over the past three years). The survey and report look at evolving threats and solutions, investment priorities for cybersecurity technologies and strategies (make sure you see the top 10 chart for this year and the changes from last year), and funding and buying patterns. The data is from senior-level decision-makers at organizations with 500 or more employees. AI has an increasing focus in this year’s research – as you would expect. 

Key findings:

• Data breaches increased, led by phishing and third-party attacks.
• CISOs prioritised cloud infrastructure and data center security.
• Attackers targeted AI models while security played catch up.
• Security budget growth showed signs of slowing.
• Market gaps found in software supply chain security and ADX. 

For details on how to get yourself a copy, please check out our portfolio. 

There’s a lot of good data and vital recommendations in the white paper based on what we found from the survey. Get your copy from IRONSCALES and scan the key findings on page 2, and then dive into what is of most relevance to you. In this article, what I want to focus on is the eureka moment as we looked at the data.

Consider this finding from one of the questions in the survey: more than 70% of respondents self-assess their current email security stack as highly effective at detecting image-based and QR code phishing attacks. This is from IT managers, IT team leads, IT security managers, email security managers, email security administrators, etc. These are the men and women on the front lines that are deeply involved in securing their organization against traditional, new, and emerging phishing threats – such as image-based and QR code phishing attacks. While that means 30% are less than confident in the efficacy of their detection capability, 70% out of the gate is a pretty high benchmark.

But then juxtapose that finding with another one: only 5.5% of respondents said their current email security defenses were able to detect and block all image-based and QR code phishing attacks from reaching user inboxes. That means 94.5% had one or more of these new types of phishing attacks flow through their email defenses to an employee’s inbox, and based on that happening, 75.8% of organizations experienced a compromise of account credentials or exfiltration of sensitive information due to image-based or QR code phishing attacks over the previous 12 months. In comparison to the data point above, that’s quite a low benchmark of battle-tested reality. It could be the tale of the one that got through, but that doesn’t make logical sense if 75.8% of organizations experienced a compromise based on just one that slipped through. Many, many of these attacks must have made their way through to inboxes, and someone or someones at each organization got phished.

On that note, better cybersecurity awareness training and phishing simulations based on real-world examples of image-based and QR code phishing attacks was a highly ranked strategic intent across the organizations we surveyed. If attacks will get through, make sure employees know what to look out for. But equally / in parallel / it’s not one or the other, augmenting current email security defenses is just as essential. People plus tech work in combination; it’s not either/or.

We will be joining IRONSCALES for a webinar on April 11 to dive into the findings. There will be Q&A … so please register and attend to have your questions answered.

We’ve come a long way in three months, apparently, since a successful and costly incident happened a couple of weeks back that seamlessly merged video and voice of multiple deepfakes in an online meeting meeting to trick a finance employee into transferring a large sum of money. This happened at the Hong Kong office of an unnamed multinational company, resulted in losses of US$25.6 million, and saw the scammers “convincingly replicat[ing] the appearances and voices of targeted individuals using publicly available video and audio footage.”

A couple of thoughts on the above:

1. There is speculation in the comments section of the ArsTechnica article that the finance employee in Hong Kong was complicit. Yes, that’s possible, but voicing such speculations is fraught with danger, because irrespective of whether it proves to be true or false, such actions have smeared many an individual and resulted in some taking their own life out of a sense of public shaming. If the Hong Kong employee was duped, he or she should be supported, not shamed. It points to a significant area of weakness in organizational processes and systems that the multinational company will need to address, along with everyone else.
2. Requests for secret transfers of money to new bank accounts should be an immediate red flag, irrespective of the person asking for this to happen. For any organization that doesn’t have a policy on this type of request, along a strong authorization process that applies in such cases, fraud and other types of questionable behavior will only continue to succeed.
3. From a tech perspective, this highlights the need for using authorized apps only, enforcing strong identity security controls, and recording and archiving online meeting content for subsequent review.