As cyber-criminals get more cunning, enterprise security must get smarter, with AI-augmented software as a weapon of choice

Kurt Marko Profile picture for user kmarko June 24, 2020
As cyber-attackers up their game, there's a growing technology need for email and collaboration security products that employ AI to block phishing and malware attacks.

(Pixabay )

Computer security has been a cat-and-mouse game between IT professionals and wily hackers since Robert Morris created the first network worm in the late 1980s. Ever since, hackers motivated by curiosity, animosity and, lately, greed have escalated their craft by devising more deviously sophisticated and stealthy techniques to enter (and sometimes corrupt) systems, exfiltrate data, compromise user credentials and steal personally identifiable information (PII). In response, IT organizations have deployed more elaborate security software with layered defenses, aggressive monitoring and more onerous authentication schemes. Every time IT applies new technology designed to block the latest attacks, hackers shift tactics.

No matter how much money and effort IT spends bolstering enterprise security, cyber-attackers remain undeterred and seemingly more successful than ever by focusing on the Achilles heel of IT security: users. Although conventional security measures have proven ineffective at blocking naive or careless user behavior, there is a reasonable prospect that a new generation of AI-enhanced security systems will succeed where less adaptive techniques have failed. Indeed, the time is ripe for data-driven machine and deep learning software to protect users from the most popular and effective attacks, phishing emails and messages.

Email is the preferred portal for data and identity theft

Massive thefts of corporate, government and personal data and identities, along with destructive ransomware and denial-of-service (DoS) attacks are so commonplace that they rarely make headlines, however, look deeper and the scope of the problem becomes evident. The FBI Internet Crime Complaint Center (IC3)  is a clearinghouse for information about online criminal activity. The organization assists law enforcement and industry cybersecurity groups by investigating and analyzing reported cases of fraud, IP theft, system intrusions, extortion and identity theft.

The most recent 2019 IC3 annual report shows that cyber-crime is a thriving activity. 

  • Complaints have gone up 1.6-times in four years, a CAGR of 13%.
  • Financial losses have increased 3.2-times for a 34% CAGR since 2015.
  • So called Business Email Compromise (BEC) / Email Account Compromise (EAC) account for about half the overall monetary damage with losses of over $1.7 billion in 2019. In an interview with cyber-security researcher Brian Krebs, a security engineer at Flashpoint said the percentage was even higher at 63 percent of fraud losses reported to the FBI.

(FBI 2019 Internet Crime Report)

The IC3 report notes the increasing sophistication of email scams, which typically start by subjecting targets to background research and social engineering. Knowing that IT defenses have tightened, particularly for senior executives and those in corporate finance, the FBI notes that email fraudsters often take an indirect approach (emphasis added):

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.

In 2019, the IC3 observed an increase in the number of BEC/EAC complaints related to the diversion of payroll funds. In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.

A separate IC3 PSA states that "Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses." It notes that banks in China and Hong Kong are the most common destinations for fraudulent funds, but the FBI has seen "an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey." A 2017 IRS advisory warns of the same technique, 

The prevalence of BEC and the diffuse set of organizations responsible for preventing it — corporate IT, local, state and federal law enforcement, email service providers and end users --   make email fraud so difficult to fight. As the Flashpoint employee tells Krebs, "The truth is that in order to address BEC as a whole we all have to work together on that. It’s like the old saying: How do you eat an elephant? One bite at a time." However, there is now a technological asset in AI that can automate much of the preventive work and protect users from common mistakes.


Email and document security using cloud-based AI

AI is working its way into most software categories, including consumer apps, IT infrastructure management and operations — the pretentiously-labeled AIOps — security (which I first detailed three years ago) and user authentication. Thus, enhanced protection for email, collaboration and file-sharing systems is a natural fit for data analytics and deep learning algorithms. I recently had the opportunity to discuss the details with DJ Sampath, the co-founder and CEO of Armorblox, one of the pioneers in using AI for email security and a company Gartner recently named as one of the Cool Vendors in Cloud Office Security.

As Gartner indicates, Armorblox, like virtually all AI-enhanced security products, is cloud-based software (SaaS) that works with the most popular cloud and on-premises email and collaboration products including Exchange, Office 365, G Suite, Box and Slack. Support for OneDrive, Microsoft Teams and Google Drive is coming via the same API integrations Armorblox just used to extend support to Box and Slack. Hooking into each service's APIs allows Armorblox to feed messages and content into its analysis pipeline where it applies several techniques to spot security threats, including:

  • Natural language processing (NLP) can parse messages to glean context and spot grammatical errors that are common to many phishing attacks from foreign sources that aren't native English speakers.
  • Statistical analysis (similar to longstanding Bayesian techniques for spam detection) to identify messages from outside an employee's usual communications circle or other anomalies. 
  • Machine learning that uses NLP to feed stylometry (the study of linguistic style) and additional text classification models to identify typical communication patterns and flag unusual messages for further analysis
  • Deep learning via pre-trained transformer networks for content summarization, sentiment analysis and name-entity identification (i.e. "Dave" in the context of a message to a colleague about our shared boss named David Smith). 

Feeding its data pipeline via the APIs for various messaging services facilitates extending support to new sources like Box, Slack and others to come. Armorblox similarly uses APIs to send the output of its analysis to various SIEM (incident management) and SOAR (automated response) products like Splunk and Palo Alto Cortex. Armorblox similarly uses API integration to IDM (identity management) and threat intelligence products like Okta and Cofense Intelligence to provide user controls and improve detection.


Cloud services as the new security backbone

Armorblox is one a growing number of cloud-based SaaS products designed to buttress enterprise security. Building on a micro-service foundation and a cloud-native technology stack of Kubernetes container clusters, Istio and Kafka allow Armorblox and its ilk to rapidly iterate features, performance improvements and product integrations without disrupting the underlying service or customer workflows.

Armorblox has several direct and adjacent competitors with AI-enhanced email and content security products, including:

  • Abnormal Security uses behavioral modeling, content analysis and graph/network analysis to flag phishing attacks that impersonate a trusted collaborator or use other fraudulent techniques.
  • BitDam analyzes various collaboration channels including email. IM and cloud file sharing to identify normal messaging traffic flows and flag anomalies. It also includes an inspection module to spot and block embedded malicious code.
  • Darktrace's  Antigena email module that uses AI to understand the unique patterns of behavior of email users and the complex web of relationships between them to identify phishing attacks, spoofing attacks, and other malicious emails.
  • Mimecast recently acquired Segasec, whose product identifies phony email, websites and domains that imitate a trusted site or brand as a means of identity and IP theft.
  • Tessian applies ML, statistical heuristics, content inspection and message graph analysis to block phishing attacks, unauthorized data exchange and identity theft.
  • Trend Micro combines AI, traditional malware detection and URL scanners to spot phishing attacks and malicious content.

My take

The security of email, collaboration and file-sharing sites have never been more critical now that most employees work outside the confines of a corporate LAN in home environments with often shoddy security. A recent Wall Street Journal article asked eight CIOs about their greatest concerns in the COVID WFH era and every one cited some aspect of enterprise security. Vittorio Cretella, CIO at Proctor and Gamble, summarized the thinking that leads many organizations to investigate new AI-enhanced security measures:

We have to be relentless about increasing our cyber capabilities—including advanced threat detection and penetration testing—to provide additional protection from malware, internet-based attacks, phishing email and other threats.

Likewise, Shankar Arumugavelu, Verizon's CIO noted that phishing attacks, particularly those using social engineering, are particularly worrisome as effective methods of stealing employee credentials and PII of both employees and customers. Given the dire numbers from the FBI IC3 report, these CIOs are rightfully concerned about the opportunities remote workers using email and other online collaboration tools present for hackers to infiltrate enterprise systems and steal data.

Today's attackers aren't the lone wolves of yesteryear but might be a cyber intelligence arm of a nation-state or hired guns for a criminal syndicate that understands the internals of conventional security products and employs sophisticated schemes to bypass traditional defenses. While machine intelligence isn't a panacea, SaaS products like Armorblox that can work with whatever mix of collaboration products an organization might use will soon be a standard part of the enterprise security arsenal.

A grey colored placeholder image