Inside Track - getting to know the vendors…

Editorial Type: Interview Date: 2015-09-01 Views: 2,047 Tags: Networking
Ray Smyth reflects on his recent discussion with Rohyt Belani, CEO and co-founder of PhishMe

I first encountered PhishMe over two years ago during my annual visit to InfoSecurity. As Rohyt Belani carefully explained the company’s approach, I soon became very aware that it was offering something quite different. You see, most security vendors enthusiastically discuss their objective to protect people and data, and PhishMe are no different in that regard - other than that their technique relies upon utilising human beings as network sensors, as opposed to just technology.

The other thing that struck me about this vendor was that they focused on Phishing attacks, and I must admit I wasn't convinced that this was such a big problem. How wrong I was!

Phishing, and more specifically Spear Phishing, has established itself as a foundational attack vector. While the precise figures may vary, there is little doubt that over 90 per cent of Advanced Persistent Attacks (APTs) rely upon Phishing as their front of house strategy, which if successful, gains the criminal’s admittance to their targeted network.

Phishing used to be a very untargeted and scattergun form of attack, but this is no longer the case, and Rohyt shared a very apposite example. He had recently been speaking at RSA about a new product launch and when subsequently checking his email, noticed one from his CTO, apparently outlining a number of serious bugs in the freshly launched product. Royht explained that emotion flooded over him and he nearly started clicking his mouse when he realised two things. Firstly, that in such circumstances his CTO would be on the phone and not emailing, and secondly, that he was being addressed as 'Dear Rohyt' - a form of address his colleague had never used.

The point is that in the final analysis it was human instinct that prevented what was clearly a Spear Phishing attack, by which I mean it was absolutely targeted at PhishMe as an organisation, and Rohyt in particular. Had it been launched, it would have paved the way to unauthorised access to PhishMe and its data.

The use of humans in the effort to detect Phishing attacks is different, and with the company’s headcount rising from 25 in 2013 to 130 now, and sales growing 100 per cent year-on-year, it seems that PhishMe are gaining significant traction. This traction grows firstly from educating users to identify for themselves potential attacks, and the safest way to do this is by using the PhishMe simulator, which generates Phishing emails in a safe, accountable and controlled environment.

Regular use of the simulator provides the participants and organisation with immersion. This is critical to developing the human as a sensor and it also provides a means of measuring improvement in detection of threats over time. From here the second PhishMe element - Reporting - allows organisations to create some structure around user reports and then weight or normalise the data. It provides a simple toolbar-based submit option and, critically, sends acknowledgement back to the sender to reinforce their involvement, making sure that users are fully enrolled into the organisation’s security program.

There can be a downside to all this however, and that is the high volume of reports generated, giving rise to a mass of data that needs to be sorted or triaged. Enter the third PhishMe product, Triage. Working on user submitted reports, Triage provides security analysts and incident responders with automated insight into Spear Phishing attacks. This orchestrated approach can reduce the Help Desk burden and identify the most credible reports, enabling early action.

I see clear evidence that technology alone will not adequately defend organisations in the face of increasing and diversifying cyber-risk. If users are not fully educated and invested, then there is an exposure that will be exploited. NC