Asaf Cidon is the VP of Email Security at Barracuda Networks. In this DevOps Chat, we sat down with Asaf and spoke about some of the new threats and up-and-coming attack vectors in email security.
Asaf is in a unique position at Barracuda to be on the front lines of the battle for email security. You can find out more about what he and Barracuda Networks are doing around email security at barracuda.com and the company’s blog, where Asaf frequently writes about new email security threats.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com, Security Boulevard. You’re listening to another DevOps Chat. Today’s DevOps Chat is another in our series of RSA Conference previews and I’m happy to be joined by Asaf Cidon of Barracuda Networks. And Asaf is in charge of email security programs at Barracuda. Asaf, welcome.
Asaf Cidon: Hi, Alan, how are you?
Shimel: I’m great. Thanks for joining us.
Cidon: Glad to be here.
Shimel: I knew I messed up the title, Asaf. Why don’t you correct me for the audience?
Cidon: No, you did a great job. Don’t worry.
Shimel: All right. So let’s start off this – I’m gonna assume most of our listeners already know Barracuda Networks, of course.
Shimel: Sort of a legend in the security industry, both for cloud security, perimeter security – email security’s always been a big focus there – but how does one become the email security expert, Asaf one? Tell us a little bit about your personal journey.
Cidon: So, you know, when I was 3 years old, most kids wanted to be a fireman or a firewoman and my goal, my dream, was just to be an expert on email security. Not kidding.
Shimel: Yep, at 3?
Cidon: [Laughs] No, I joined Barracuda actually via an acquisition, so I was CEO of a startup called “Sookasa,” and we were kind of – you could think of us as kind of like a CASB, a cloud-access security broker, but, after the acquisition, we saw that, given Barracuda’s significant kind of market reach in the email security space, we thought that using a similar approach in email could actually be really interesting. And so we refocused our team to focus on email security and using kind of AI for email security, and kind of launched a product here, and ended up kind of running the entire business.
Shimel: Got it. It’s an interesting path. So a lot of people – first of all, Asaf, right, we’ve been hearing that the death of email is coming for the last ten years, right? And, most recently, probably around Slack and some of the ChatOps kind of stuff is “Oh, it’s much superior to email,” but, yet, I would venture to say that we probably send more email than ever.
Cidon: Probably, yeah. [Chuckles]
Shimel: Yep. So email – it doesn’t seem to be going anywhere anytime soon. And –
Shimel: And other people look at this, Asaf, right, and they say, “Well, what’s new under the sun with email? An email is email.” But there is new under the sun and there’s certainly new when it comes security in your email, and I guess security is really the left foot, the right foot being ways people attack via email. So why don’t we talk a little bit about what’s kind of new in the email security world?
Cidon: Sure. And, yeah, I mean, we’re all – this entire industry is only as good as the attackers, right? So we, in many ways, follow where the attackers take us, so they still think that email is a prime vector, probably the number-one vector, for cybersecurity attacks, at least the initial vector. So that’s definitely still a huge focus for the industry. So, yeah, I mean, the way I kind of view – so the emails threat kind of landscape has actually evolved pretty significantly and there’s been a lot of, quote unquote, “innovations” from the attacker side, in the last few years. So we really moved from, kind of the way I like to think about it is, from a B2C to a B2B model, from the attacker side.
So, in the past, attackers were sending – kind of treating every email address as a consumer. They were sending these mass attacks. You can remember those Viagra emails that all of us used to receive or the Nigerian prince or even ransomware is probably a good example, where they just blast these attacks to millions and millions of people around the world. And, like kind of a consumer brand, they hope for a 0.1 percent conversion, is an amazing conversion rate, right? Usually, they get much lower than that. And then, if you get 1,000 people to fall for 100 bucks or 1,000 bucks, then you make a decent payout from the campaign.
So that’s the world we used to have, but, more recently, probably in the last two to three years, they’ve evolved much more into a B2B model, where they’re much more targeted. They’re willing to spend much more efforts in personalizing their message and researching their target, but the payout for a successful attack is much higher. So, for example, probably the best example of this is the business email compromise or CEO fraud, where they would actually send an email to someone in the company, impersonating the CEO, for example, asking for a wire transfer. So they, of course, can’t send that to millions of people, but, you know, if they send it to 10,000 or 1,000 people and then 1 percent of them fall for it, but each one of them falls for $100,000.00 on average, and it’s typically actually more, then you get even a much higher payout than before.
So that’s actually been a pretty rapid evolution in the last few years and we’re seeing the FBI actually publishes numbers on these more kind of targeted attacks. And we’re seeing it’s a multibillion-dollar industry, from – a criminal industry, so it’s very lucrative.
Shimel: Absolutely. Absolutely. So, you know, Kevin, I’ve been going to the – or “Kevin”? I’m sorry – Asaf, I’ve been going to the RSA Conference for 20 years now and one of the things that constantly amazes me is that most security isn’t in the background as much as it was, let’s say, 20 year ago. Come RSA season, everybody’s releasing their reports – their threat reports, their cloud security report, email security report – and it’s like there’s this rush of news.
And, look, Barracuda competes in this space, right? What’s the big rush and news there, do you know?
Cidon: There’s probably couple of things that we’re really keeping our eyes out on, so the first one is a rise of a relatively new type of attack, which is called “account takeover” or “account compromise.” This is probably the most – kind of the frontier of email attacks, where attackers will steal your credentials – they might steal it via phishing email or via just a hack into a password database. Then actually, using your credentials, impersonate you, like, using your real email address, send emails to other people, try to trick them.
So this is kind of the most nefarious kind of type of email attack just because most email security solutions will fail to stop it because they don’t – there’s no clues here. Right? It’s coming from the real email address – it has the real header; the IP address will be legit – so a lot of the network clues that would usually help you don’t exist in this type of attack. So that’s one area where, really, just customers are constantly talking to us about.
Second one is what we call “blackmail” or there’s other names for this type of attack, but, basically, this is where attackers will send you an email with your compromised password in the email, so they’ll actually say, “Hey, Alan, we got access to your account. This is the password,” and they usually use that password from a password breach. And then they threaten you to – if you don’t send them some bitcoins, they will release some embarrassing photos of you online.
And, again, this is another type of attack where a lot of existing email security solutions will not really work well because it’s highly personalized and it doesn’t really contain an obvious malicious kind of signal. It doesn’t really have malware or a phishing link or anything like that. So those are two, probably, the most kind of, let’s call it, topical types of attacks that we’re seeing with customers these days.
Shimel: I see it. I see it. You know, Asaf, one of the unique things – so kind of email security, the nuts and bolts of it, right, intersecting or looking at email when it comes on the server, whether it be an Exchange server or what have you, that really hasn’t changed too much. But I wonder, with the advent of cloud-based corporate Gmail, stuff like that, how has that changed the game for you guys over at Barracuda?
Cidon: Yeah, no, that’s a great question. So, actually, that has really changed the email security industry or email security system, so, yeah, you’re right. In the past – and this is what most of the email security companies still do – it was more like kind of a gateway, right, so you have your email server and then you’d just put some – you would route your traffic through some gateway that would filter email, right? Both your inbound and outbound traffic. And kind of classic spam filter. And that’s really what most of the industry still uses today, to be honest.
With the cloud email providers, there’s actually an opportunity to do much more sophisticated types of protection, so, with cloud email, they actually expose eight public APIs. And these public APIs give us kind of a wealth of information that we never had access to before, as email security providers. So, for example, I can get access to internal emails, not just emails from external sources. So, when you’re a gateway, you only see the bad stuff from the outside coming in, but you don’t see internal communications.
Now why are internal communications important? They’re important for two reasons: one, if one of the accounts internally gets compromised, so it’s really important to monitor those attacks – internal accounts can no longer be trusted – and, two, even if you’re trying to stop attacks from the outside, it’s actually really helpful to have a history of internal communications, if you’re gonna train an AI, for example, because the internal communications can give you a sense for “What does a normal email look like in this organization? What does a normal email look like from this person?”
And those have been really crucial, but then it goes even beyond that. We can gain access, for example, to IP log-in information into the mail client, like Gmail or Office 365, or we can get access to even more advanced types of information, like forwarding rules, so, a lot of times, attackers, these days, if they compromise an account, they will change the forwarding rule of the account in order to hide their presence or to gain access – to forward emails outside the organization, so that’s another signal that we can use.
So kind of to summarize, right, the cloud email services give us access to way more information, which we, as security providers, can then use to provide much more effective and kind of personalized security via AI.
Shimel: Got it. It does occur to me that it’s like that. So let’s take out your crystal ball a little bit, Asaf. Let’s say we’re sitting here pre-RSA next year or the year after that even; what do you think is the big story in 12 months, 18 months, 36 months?
Cidon: Yeah, so I think there’s a couple of – I’ll predict there’s gonna be a couple of interesting developments. So I mentioned earlier about account takeover’s really the cutting edge, today, of email security or email attacks. And I think we’re gonna see them just grow in their sophistication. So, today, most account takeovers take over an account and then use that account, for example, to launch phishing emails, for example, but the more interesting type of attack would be if they actually take over an account, for example, of an executive and then use that real executive’s account to influence a wire transfer or to gain access to sensitive information. And we already see that happening sometimes, but I predict it’s going to happen a lot more in the coming months and years.
The second big area is what we started with, so I think you start by saying, “Everybody’s predicting the end of email,” but we haven’t really seen it yet, so I agree. I think email is here to stay, but I definitely think that platforms like Slack or Microsoft’s chat platform or other communication channels, like social media, LinkedIn or even Skype, all of these are still relatively underutilized platforms for attackers and I can definitely see those platforms increase in the number of kind of attacks. And so I think we, as kind of email security providers, really need to think of ourselves as messaging or communications security providers and extend our protection to all of these different platforms, not just to email. So those are probably the main two things that I predict we’ll be seeing in the coming years.
Shimel: Excellent. Well, Asaf, as I’d mentioned to you when we started, the time goes really quick. We’re over our 15 minutes, in over time, but, unlike some TV shows, you can join us on YouTube with your questions later. But thanks for giving us this preview. Before we end, people wanna get more information. Maybe they’ll be some of the 50,000 who will be at RSA. Where can they get information?
Cidon: Yes. I mean, obviously, our corporate website has a bunch of information. In particular, I think the most interesting parts are we have a blog where we publish a monthly, what’s called, “threat spotlight,” and so I’ve actually been, probably, the main contributor to that blog. And so, every month, we highlight either a study that we’ve done on the email side or a particular type of attack, and so some of the attacks that I mentioned today are highlighted there and there’s a bunch of others that are. And, of course, some of the other vendors will be publishing some interesting stats for RSA, but, if you’re curious about any of these sophisticated email-borne attacks or social engineering or how to use AI to combat that, our blog is probably a really good resource for that. So kind of recommend that.
Shimel: Cool. Cool, cool, cool. All right. Asaf Cidon, thanks for being our guest on this episode of DevOps Chat. This is Alan Shimel. If we don’t see you, hopefully, we’ll see you at RSA Conference, but, until then, this is Alan Shimel for DevOps.com, Security Boulevard. Have a great day, everyone.