bulletproof your email

Download Bulletproof Your Email

Post on 15-Feb-2017

205 views

Category:

Marketing

2 download

Embed Size (px)

TRANSCRIPT

  • 1 #emailpros

    Bulletproof Your Email

    Steven Murray, CISO, SparkPost Alexander Garcia-Tobar, CEO & Co-Founder, ValiMail

    #emailpros

  • 2 #emailpros

    Speakers

    Alexander Garca-Tobar, CEO and Co-founder, ValiMail A serial entrepreneur and global executive, Alexander has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate, and SyncTV.

    Steven Murray, CISO, SparkPost With more than 20 years of experience in enterprise-level information security and advanced network warfare, Steven is most known for his work with the SEI Computer Emergency Response Team at Carnegie Mellon University. Prior to joining SparkPost, Steven was Director of Security Engineering and Operations for ServiceNow and a Lieutenant Colonel in the U.S. Army commanding a Cyber Defense Battalion, for which he received a Bronze Star for his service during Operation Iraqi Freedom.

  • 3 #emailpros

    The Threat is Real

    Threat actors are Agile, Adaptive and able to transform their persona online faster than we can respond.

    Criminals know Defenders have to follow the rules and they dont.

  • 4 #emailpros

    Threats Were Seeing - Common Attack Surfaces

    Illegitimate Attacks

    Squatters

    Classic Denial of Service

    Impersonation Attacks/Brand Abuse

  • 5 #emailpros

    Illegitimate Attacks

    Legitimate Sending domains are used to create legitimate accounts Initial sending patterns are normal and content is legitimate

    Sender builds trust to allow for higher threshold of sending limits

    Once highest trust level achieved sender changes persona and starts to send Branded content

    Millions of emails can be launched prior to any countermeasures catching the bad content

    Spam filters on receiving end will bypass content

  • 6 #emailpros

    Squatters

    Take advantage of unused domains and partially setup accounts to conduct attacks against specific targets.

  • 7 #emailpros

    Classic Denial of Service

    Attack designed to shutdown companys ability to operate online. Flood the border routers with traffic to take down access to the internet.

  • 8 #emailpros

    Impersonation Attacks/Brand Abuse Emails pretending to be from your domain/brand with the express intent to harm

    your brand and/or harvest confidential information (W2, Wire transfers, designs, etc). Allows harm without having to hack.

  • 9 #emailpros

    Impersonation Attacks/Brand Abuse Case Study

    Modern phishing attack ruined a banks brand/reputation

    Mid-sized-bank.com:

    Normal email traffic: 3k/day

    Blackmail: 20M/day sent by criminal

    Triggers Gmail defenses: all email blocked from domain

    Damage to brand and operations

    Cost more impactful than hacking the company

  • 10 #emailpros

    Costs of Non-Validated Email are Skyrocketing

  • 11 #emailpros

    How do we combat these attacks?

    Email Authentication

    Only whitelisted email senders allowed

    All others ignored globally

  • 12 #emailpros Bringing Trust to Email Copyright 2016 ValiMail. All rights reserved. Confidential and Proprietary. 2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com 6

    DMARC adoption is accelerating

    Additionally: Europes and Japans top ISPs announce support (1&1, LaPoste, IIJ, etc).

    2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com 6

    DMARC adoption is accelerating

    Additionally: Europes and Japans top ISPs announce support (1&1, LaPoste, IIJ, etc).

    DMARC Authentication Adoption

  • 13 #emailpros

    Email Authentication Becoming a MUST HAVE

    Google and Microsoft are penalizing for no authentication

    An affirmative solution for exact domain impersonation (BEC)

    Suspicious=Noicon,regardlessofauthentication

    Suspicious=Noimages,regardlessofInboxorJunk

    WEHAVETHERIGHTCREDITCARDFORYOU

    FROMCREDITCARDSTHATOFFERCASHBACKTOSAVINGSONINTEREST,WEHAVETHERIGHCARDTOFITYOURNEEDS.

    No authentication, no logo!

    Benefits: Stop Modern Phishing

    Attacks Protects Brands Controls Shadow Email Improves Deliverability Reduces Liability Enables Compliance

  • 14 #emailpros

    Customers, Partners,

    Employees

    DNS

    Sign Myco

    Validate

    IP Whitelists (SPF)

    Public Keys (DKIM) Policies (DMARC)

    Email Authentication

    Only whitelisted email senders allowed

    All others ignored globally

    It Works But Its Complicated

  • 15 #emailpros 2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com15

    Bringing Trust to Email Copyright 2016 ValiMail. All rights reserved. Confidential and Proprietary.

    2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com 7

    Higher Adoption at Larger Companies, Yet Remarkably Similar Failure Rates

    CompanySize

    Attempted authentication

    Successful enforcement

    NASDAQ 100 43.0% 12.0%

    FTSE 100 25.0% 5.0%

    S&P 500 23.8% 6.1%

    Fortune 1000 16.2% 3.8%

    Alexa 10,000 14.2% 5.3%

    Alexa 100,000 5.9% 1.7%

    Alexa 1 million 2.3% 0.6%

    CompanySize Failure rate

    NASDAQ 100 72.1%

    FTSE 100 80.0%

    S&P 500 74.4%

    Fortune 1000 76.5%

    Alexa 10,000 62.3%

    Alexa 100,000 71.1%

    Alexa 1 million 74.6%

    Source: ValiMail

    Implementation Failure Rates are High

    ~70% Failure rates, regardless of company size & resources

  • 16 #emailpros

    The Challenges of Enabling Email Authentication

    Standards are stuck in 2002 (SPF 10 lookup limit)

    Every change requires working with DNS

    Stale DKIM keys can be compromised

    Identifying 3rd party services extremely hard

    Post-configuration: limited visibility and control of new 3rd parties sending email as you

  • 17 #emailpros

    To Authenticate (and Succeed at Deployment)

    Overcome standards limitations (SPF 10 lookup limit)

    Detect and classify (long-tail) sending services

    Authorize and De-authorize senders on ongoing basis Minimize DNS changes (beware of arcane syntax!)

    Parse reports and react to malicious activity

    Maintain accurate configuration over time

    Provides Full

    Visibility Automates Completely

    Enforces with

    Confidence

    Or use a service that:

  • 18 #emailpros

    What can you do to protect your brand?

  • 19 #emailpros

    Best Practices Enable DMARC Authentication lock down your @domain.com

    White List Domains, SPF, IPs

    Encryption/Signature Keys (DKIM, SSH, SSL)

    Require Multi-Factor Authentication

    Authorize users and restrict roles within the org (RBAC)

  • 20 #emailpros

    Best Practices

    Awareness Teach your user base how to spot phishing attacks

    Assume you are a high value target

    Enforce good operational standards and practices Complex login / authentication for admins

    Log everything

  • 21 #emailpros

    To watch the webinar recording, click here:

    https://sparkpo.st/bulletproofyouremail

    https://sparkpo.st/bulletproofyouremail