bulletproof your email
TRANSCRIPT
1 #emailpros
Bulletproof Your Email
Steven Murray, CISO, SparkPost Alexander Garcia-Tobar, CEO & Co-Founder, ValiMail
#emailpros
2 #emailpros
Speakers
Alexander García-Tobar, CEO and Co-founder, ValiMail A serial entrepreneur and global executive, Alexander has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate, and SyncTV.
Steven Murray, CISO, SparkPost With more than 20 years of experience in enterprise-level information security and advanced network warfare, Steven is most known for his work with the SEI Computer Emergency Response Team at Carnegie Mellon University. Prior to joining SparkPost, Steven was Director of Security Engineering and Operations for ServiceNow and a Lieutenant Colonel in the U.S. Army commanding a Cyber Defense Battalion, for which he received a Bronze Star for his service during Operation Iraqi Freedom.
3 #emailpros
The Threat is Real
• Threat actors are Agile, Adaptive and able to transform their persona online faster than we can respond.
• Criminals know Defenders have to follow the rules and they don’t.
4 #emailpros
Threats We’re Seeing - Common Attack Surfaces
• Illegitimate Attacks
• Squatters
• Classic Denial of Service
• Impersonation Attacks/Brand Abuse
5 #emailpros
Illegitimate Attacks
• Legitimate Sending domains are used to create legitimate accounts
• Initial sending patterns are normal and content is legitimate
• Sender builds trust to allow for higher threshold of sending limits
• Once highest trust level achieved sender changes persona and starts to send Branded content
• Millions of emails can be launched prior to any countermeasures catching the bad content
• Spam filters on receiving end will bypass content
6 #emailpros
Squatters
Take advantage of unused domains and partially setup accounts to conduct attacks against specific targets.
7 #emailpros
Classic Denial of Service
Attack designed to shutdown company’s ability to operate online. Flood the border routers with traffic to take down access to the internet.
8 #emailpros
Impersonation Attacks/Brand Abuse Emails pretending to be from your domain/brand with the express intent to harm
your brand and/or harvest confidential information (W2, Wire transfers, designs, etc). Allows harm without having to hack.
9 #emailpros
Impersonation Attacks/Brand Abuse – Case Study
Modern phishing attack ruined a bank’s brand/reputation
‘Mid-sized-bank.com’:
• Normal email traffic: 3k/day
• Blackmail: 20M/day sent by criminal
• Triggers Gmail defenses: all email blocked from domain
• Damage to brand and operations
• Cost more impactful than hacking the company
11 #emailpros
How do we combat these attacks?
Email Authentication
• Only whitelisted email senders allowed
• All others ignored globally
12 #emailpros Bringing Trust to Email© Copyright 2016 ValiMail. All rights reserved. Confidential and Proprietary.
©2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com 6
DMARC adoption is accelerating
Additionally: Europe’s and Japan’s top ISPs announce support (1&1, LaPoste, IIJ, etc).
©2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com 6
DMARC adoption is accelerating
Additionally: Europe’s and Japan’s top ISPs announce support (1&1, LaPoste, IIJ, etc).
DMARC Authentication Adoption
13 #emailpros
Email Authentication Becoming a MUST HAVE
Google and Microsoft are penalizing for no authentication
An affirmative solution for exact domain impersonation (BEC)
Suspicious=Noicon,regardlessofauthentication
Suspicious=Noimages,regardlessofInboxorJunk
WEHAVETHERIGHTCREDITCARDFORYOU
FROMCREDITCARDSTHATOFFERCASHBACKTOSAVINGSONINTEREST,WEHAVETHERIGHCARDTOFITYOURNEEDS.
No authentication, no logo!
Benefits: • Stop Modern Phishing
Attacks • Protects Brands • Controls Shadow Email • Improves Deliverability • Reduces Liability • Enables Compliance
14 #emailpros
Customers, Partners,
Employees
DNS
Sign Myco
Validate
ü
IP Whitelists (SPF)
Public Keys (DKIM) Policies (DMARC)
Email Authentication
• Only whitelisted email senders allowed
• All others ignored globally
It Works – But It’s Complicated
15 #emailpros ©2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com15
Bringing Trust to Email© Copyright 2016 ValiMail. All rights reserved. Confidential and Proprietary.
©2016 ValiMail. All Rights Reserved. Confidential and Proprietary. www.valimail.com 7
Higher Adoption at Larger Companies, Yet Remarkably Similar Failure Rates
CompanySize
Attempted authentication
Successful enforcement
NASDAQ 100 43.0% 12.0%
FTSE 100 25.0% 5.0%
S&P 500 23.8% 6.1%
Fortune 1000 16.2% 3.8%
Alexa 10,000 14.2% 5.3%
Alexa 100,000 5.9% 1.7%
Alexa 1 million 2.3% 0.6%
CompanySize Failure rate
NASDAQ 100 72.1%
FTSE 100 80.0%
S&P 500 74.4%
Fortune 1000 76.5%
Alexa 10,000 62.3%
Alexa 100,000 71.1%
Alexa 1 million 74.6%
Source: ValiMail
Implementation Failure Rates are High
~70% Failure rates, regardless of company size & resources
16 #emailpros
The Challenges of Enabling Email Authentication
• Standards are stuck in 2002 (SPF 10 lookup limit)
• Every change requires working with DNS
• Stale DKIM keys can be compromised
• Identifying 3rd party services extremely hard
• Post-configuration: limited visibility and control of new 3rd parties sending email as you
17 #emailpros
To Authenticate (and Succeed at Deployment)
• Overcome standards limitations (SPF 10 lookup limit)
• Detect and classify (long-tail) sending services
• Authorize and De-authorize senders on ongoing basis • Minimize DNS changes (beware of arcane syntax!)
• Parse reports and react to malicious activity
• Maintain accurate configuration over time
Provides Full
Visibility Automates Completely
Enforces with
Confidence
Or use a service that:
19 #emailpros
Best Practices • Enable DMARC Authentication – lock down your @domain.com
• White List Domains, SPF, IPs
• Encryption/Signature Keys (DKIM, SSH, SSL)
• Require Multi-Factor Authentication
• Authorize users and restrict roles within the org (RBAC)
20 #emailpros
Best Practices
• Awareness • Teach your user base how to spot phishing attacks
• Assume you are a high value target
• Enforce good operational standards and practices • Complex login / authentication for admins
• Log everything
21 #emailpros
To watch the webinar recording, click here:
https://sparkpo.st/bulletproofyouremail