On Tuesday December 10, we will be talking with John Gunn (CEO at Token) about securing user identities. You can attend the webinar with us – How to Unlock the Future of Identity Security by Stopping Phishing and Ransomware.

The key topics for our conversation include:

• Identity Security in Crisis: 79% of organizations have suffered from identity attacks in the last year. Discover why traditional MFA is no longer enough to stop phishing and ransomware.
• Phishing-Resistant MFA: Learn about cutting-edge innovations like biometric and hardware token-based MFA that block even the most sophisticated attacks.
• Real-World Solutions: Practical steps for upgrading your identity security, stopping account takeovers, and ensuring compliance with the latest standards.

We hope to see you on Tuesday December 10.

It deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.

One of the common recommendations in security awareness training for identifying phishing emails is to check that email addresses and domain names are correct. So microsoft.com is that, and not some close derivative (like microsott.com or M1CROSOFT.COM) and it’s actually paypal.com not paypa1.com. Small changes in email addresses and domain names can signal big trouble ahead (e.g., BEC incidents that result in paying the wrong person), and it takes a snazzy piece of brainwork to consistently identify those subtle changes. Slow down, read the address carefully, and then proceed with caution. That’s the general advice.

While snazzy brainwork is helpful in detecting new cyberattacks, the way our brains work can undermine the very outcomes we’re trying to achieve. As with the headline for this post, many of you can quickly read what’s written, and while the first couple of words may take a millisecond longer than normal to get, the subsequent ones get progressively easier. Optical illusions provide a second category of examples where what looks reasonable on first glance becomes more complicated on the second.

Hence, with respect to security awareness training, the advice to check the email address and domain name is sound but flawed. We would want someone to see that memcosoff.com was not microsoft.com, but we should not be surprised when people miss the difference between slight variations. Yes, the differences between paypal and paypa1 may be clear and obvious in retrospect, but to write people off due to missing the differences when their brain actually creates the signals it expects to see is disingenuous.

We’re a great advocate for email security solutions that use anomaly detection (and similar techniques) to do the heavy lifting in identifying subtle changes in email addresses and domain names. Textual analysis for near-matches, unusual patterns in combining sender names with email addresses, and the like provide a level of machine-precision that brains can’t match (and that’s okay, since brains are good at other things). Asking your people to check these details is fine, but don’t do so without using the best of what’s now available to detect, highlight, and remediate cyberattacks predicated on subtle differences that brains will often miss.

Key stats and ideas from the report:

• 94% of survey respondents have some level of concern about the security implications of deepfakes.
• The increasing sophistication of deepfake technologies has left many people struggling to differentiate artificially generated content from reality.
• The worst of what deepfake-enabled threats has to offer is still yet to come. 64% of respondents believe the volume of these attacks will increase in the next 12-18 months.
• 53% of respondents say that email is an “extreme threat” as a channel for deepfake attacks.

Our POV:

• 94% said they had concern and about deepfakes, and so they should. We think that 100% of respondents should have been concerned. It is still very early days for the weaponization of deepfake technology, and the various ways in which this will be used by threat actors for malicious ends remains to be seen. As an industry, we don’t have a good enough grasp of the full picture yet, such as whether deepfake threats are just audio and video, whether they originate in email or whether they are subsequent attack methods in a multi-stage coordinated targeted attack, and so on.
• Deepfakes – especially of the live audio and video kind – are a uniquely AI-enabled cyberthreat. This will demand AI-powered cybersecurity solutions to detect and respond.
• As an industry, we’ve talked about impersonation as a threat for a long time, often in the context of vendor impersonation (for business email compromise) or domain impersonation (for phishing attacks in general). Deepfakes is several next levels up on the impersonation side. We’ll need to be careful re language though, to differentiate different types of attacks and by implication different types of approaches for detecting and stopping such attacks. It doesn’t make a lot of sense for everything that’s fake to become a “deepfake.”

And just a reminder: IRONSCALES is a client at Osterman Research. We’ve had the privilege of working with IRONSCALES on multiple research projects in recent years. We didn’t, however, have any participation in the formulation, execution, or delivery of this research.

Our latest research agenda program fits in the latter category. When we were looking at possibilities for 2024, a client suggested:

Something around how the security industry is evolving to make the SOC more efficient and reduce stress and burnout would be good. For example, the H/M/L prioritization of alerts didn’t really do much. What are vendors doing that works, and what doesn’t work? (There could be a little AI in here, but it would be good to go beyond that.)

That nudge (thanks, Bob!) became the origin point for our latest report, Making the SOC More Efficient (available on the main Osterman Research site). It’s a long paper (26 pages) that attempts to deal thoughtfully and in-depth with the topic, exploring the data points we captured through the survey and advocating a way forward. There is more than “a little AI” in the report, though, as this has become both the greatest threat (82.4% of security leaders said that “the use of AI by cyberthreat actors in cyberattacks” was “very impactful” or “extremely impactful” – the highest-rated trend in this research) and one of the greatest tools for defenders (via the rise of AI-enabled cybersecurity solutions).

Some of the key takeaways from the research:

• Current SOC approaches have hit the wall
  Confidence in the ability of the SOC to protect against the threats detected by their security tools has dramatically increased during the past two years, but this increase in confidence is expected to rapidly crater. The innovations that drove increased SOC performance over the past two years do not contain the necessary ingredients to continue driving performance over the next two.
• Specialized threat intelligence to eliminate false positives, AI for behavioral analysis, and autonomous remediation seen as top innovations
  The three innovations seen as most likely to drive SOC efficiency and reduce stress and burnout among SOC analysts are the use of specialized threat intelligence to eliminate false positives; using AI for behavioral analysis in investigating alerts and autonomously creating or updating detection rules; and autonomously remediating incidents without SOC analyst intervention. Almost half of respondents gave two AI-powered defensive innovations the highest rating.
• New innovations improve SOC metrics by a composite average of 35%
  All organizations in this research are already experimenting with at least one new approach to improving the efficiency of their SOC. The most impactful innovations on key SOC metrics (time to begin working on an issue, time to close an incident, and number of false positives) are AI behavior analysis with autonomous rule creation/updating, AI behavioral modeling for detecting baseline deviations, and autonomous remediation of incidents.

If SOC efficiency is in your wheelhouse, we’d love you to get a copy.

This program was sponsored by Dropzone AI, HYAS Infosec, Radiant Security, and Sevco Security.

This is the eleventh year that Scale has produced this research (in collaboration with Everclear Marketing, we’ve helped over the past three years). The survey and report look at evolving threats and solutions, investment priorities for cybersecurity technologies and strategies (make sure you see the top 10 chart for this year and the changes from last year), and funding and buying patterns. The data is from senior-level decision-makers at organizations with 500 or more employees. AI has an increasing focus in this year’s research – as you would expect. 

Key findings:

• Data breaches increased, led by phishing and third-party attacks.
• CISOs prioritised cloud infrastructure and data center security.
• Attackers targeted AI models while security played catch up.
• Security budget growth showed signs of slowing.
• Market gaps found in software supply chain security and ADX. 

For details on how to get yourself a copy, please check out our portfolio. 

Governance, risk, and compliance is a team sport — in a league where no two teams look alike. This diversity in team structures, responsibilities, and program resources makes GRC benchmarking across organizations and industries challenging — and objectively evaluating your program strategy even more difficult.

To better enable GRC leaders with a clear understanding of what “good” GRC looks like, we surveyed 350 risk, cybersecurity, and compliance leaders worldwide about their program objectives, team structures, processes, and technology investments — and aligned responses to a maturity model to gauge their GRC program maturity and success. 

Key findings:

• GRC is a collaborative undertaking across multiple teams.
• All organizations have work to do to improve their GRC program maturity.
• Organizations spend an average of 1% of annual revenue on their GRC program.
• People and talent expenses represent 46% of the GRC budget.
• Budgets are staying the same or increasing for 80% of organizations.
• Using a single GRC software tool best helps with proactively managing risk. 

For details on how to get yourself a copy, please check out our portfolio. 

There’s a lot of good data and vital recommendations in the white paper based on what we found from the survey. Get your copy from IRONSCALES and scan the key findings on page 2, and then dive into what is of most relevance to you. In this article, what I want to focus on is the eureka moment as we looked at the data.

Consider this finding from one of the questions in the survey: more than 70% of respondents self-assess their current email security stack as highly effective at detecting image-based and QR code phishing attacks. This is from IT managers, IT team leads, IT security managers, email security managers, email security administrators, etc. These are the men and women on the front lines that are deeply involved in securing their organization against traditional, new, and emerging phishing threats – such as image-based and QR code phishing attacks. While that means 30% are less than confident in the efficacy of their detection capability, 70% out of the gate is a pretty high benchmark.

But then juxtapose that finding with another one: only 5.5% of respondents said their current email security defenses were able to detect and block all image-based and QR code phishing attacks from reaching user inboxes. That means 94.5% had one or more of these new types of phishing attacks flow through their email defenses to an employee’s inbox, and based on that happening, 75.8% of organizations experienced a compromise of account credentials or exfiltration of sensitive information due to image-based or QR code phishing attacks over the previous 12 months. In comparison to the data point above, that’s quite a low benchmark of battle-tested reality. It could be the tale of the one that got through, but that doesn’t make logical sense if 75.8% of organizations experienced a compromise based on just one that slipped through. Many, many of these attacks must have made their way through to inboxes, and someone or someones at each organization got phished.

On that note, better cybersecurity awareness training and phishing simulations based on real-world examples of image-based and QR code phishing attacks was a highly ranked strategic intent across the organizations we surveyed. If attacks will get through, make sure employees know what to look out for. But equally / in parallel / it’s not one or the other, augmenting current email security defenses is just as essential. People plus tech work in combination; it’s not either/or.

We will be joining IRONSCALES for a webinar on April 11 to dive into the findings. There will be Q&A … so please register and attend to have your questions answered.