natali_mis - stock.adobe.com

How Mimecast thinks differently about email security

Mimecast CEO Peter Bauer believes the company’s comprehensive approach towards email security has enabled it to remain relevant to customers for two decades

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW APAC: Expert advice on security and threat intelligence

With email security becoming more multifaceted, it’s no longer enough to apply email filters to fend off phishing attacks as threat actors increasingly employ a multitude of communication channels to deploy their payloads.

That’s why Mimecast, an email security provider which expanded its footprint in Southeast Asia about a year ago with a regional office in Singapore, takes a comprehensive view of email security with a suite of offerings that includes security awareness training to help workers guard against social engineering campaigns.

On a recent visit to Singapore, Mimecast CEO and co-founder Peter Bauer spoke to Computer Weekly about the company’s approach to email security that has maintained its relevance to its customers for two decades, and the impact of generative artificial intelligence (AI) on the cyber security landscape.

Tell us more about what Mimecast is doing in Asia-Pacific and the growth opportunities you see in the region.

Peter Bauer: This trip is quite special for me. It’s our 20th anniversary this year, and it’s been 10 years since we set up Mimecast in Australia, which was intended to be a platform for us to incubate opportunities in Asia. It’s also been a year since we opened an office in Singapore, and it’s a good opportunity for me to meet our team here, which has grown tenfold. We’ve also built up our global tech support centre in Manila and over the past year; we’ve been training and enabling that team to be part of our regional tech support and global follow-the-sun capabilities.

Email security, which is what Mimecast is best known for, is as relevant today as it has ever been. Globally, we have over 40,000 customers of all sizes, from small companies with 20-50 people to large enterprises with thousands of employees. They also come from a range of industries, including professional services firms that have to manage their brands and reputations.

Over time, the email security problem has expanded to the point where it requires not just a technical solution, but also a people solution. Attackers can take advantage of email addresses which offer a direct path to both the mind and machine of every single person in your organisation. It’s no surprise that email just keeps showing up in our State of email security reports as the initial culprit or one of the prime culprits in breaches and attacks.

And people need to be able to trust the digital workplace. We’ve all learned that we can’t believe everything we read on Twitter, but you ought to be able to believe what’s in your inbox, particularly for things that purportedly come from your organisation. But that’s not guaranteed, and it’s not free to maintain that trust. There’s a need for technology that continuously interrogates the content and the purported identities of people. It has to look for reasons why something should be considered valid or risky.

And so, our work has focused on interrogating that communication at a much deeper level, and equipping people to be smarter in terms of how they interact with data and what decisions they make about the information they receive. We have products for security awareness training, such as a module called CyberGraph, that helps a worker identify messages that might pose a higher risk and understand what they should or shouldn’t do with them. We then develop some telemetry and profile the level of risk that an individual may pose to their organisations.

It's super important that Microsoft continues to get better at security, but it is an intractable problem for them because they are ubiquitous. We focus on adding security value on top of Office 365 to help our customers become more confident and secure in those major investments
Peter Bauer, Mimecast

How is Mimecast doing things differently compared to some of the other email security suppliers in the market?

Bauer: We’ve been in this game for 20 years and we’ve seen email security vendors come and go. We’ve competed with 15 to 20 different names, the majority of which aren’t in the game anymore. I think what has given us staying power and continued relevance with our customers is our balanced understanding that email represents a multifaceted risk. It’s not just about finding bad messages; it’s about ensuring bad things don’t happen to organisations and that requires us to take a comprehensive view of communications, people and data protection.

There are lots of products that go beyond email security – archiving and backup, business continuity and security awareness training – that companies would buy, but our take has been that if you need that many products to solve the problem, that’s not good. And so, we’re focused on reducing not only risk but also complexity by providing a comprehensive suite.

The good thing about that is it allows us to have a more meaningful commercial relationship with a customer, because they’re not buying one thing. That’s where I think a lot of competitors have come unstuck, as they’re focused on building a feature or a product, and it’s difficult to turn that into a long-term company.

Even today, we see new startups that are going after business email compromise and trying to build a company that does that. The problem is so meaningful that it will work for a short period of time, but to turn that into a profitable, successful and growing company, you have to build more.

Our strategy has been to address a broad set of use cases and reduce risk and complexity, while increasingly exposing our value and understanding the role we play as part of a system of systems that companies are already using, such as Okta and CrowdStrike. Through APIs, customers can drive threat intelligence sharing and automation across those systems to help them improve their overall security architecture.

So, while you could filter email with us, you could do that with other companies, too. But when you make your choice, you should look at not just email filtering, but also who’s going to add the most value to your broader security ecosystem.

Read more about cyber security in APAC

What are your thoughts on what cloud-based email providers are doing in email security? How can you augment their capabilities with the Mimecast platform?

Bauer: That’s an interesting point, because for the longest time, people would assume that if the mailbox is hosted somewhere, security is provided and built in. Some level of security is there, but it’s too complex a problem for an email provider to solve, even for a mighty organisation like Microsoft, which has made considerable investments in security.

What we see time and time again is that there’s a vast number of threats coming from the Microsoft environment because it’s so widespread. The adversaries have all got Office 365 and they’re able to do two things. One is to use it as a launch environment to attack other Office 365 tenants. Second, they can use it to test their attacks. It’s a bit like Ocean’s 11 where the protagonists get together to plan a bank heist by recreating the vault. If you want to attack an Office 365 tenant, you can recreate the vault to experiment and know exactly how things work.

It’s super-important that Microsoft continues to get better at security, but it’s an intractable problem for them because they are ubiquitous. We focus on adding security value on top of Office 365 to help our customers become more confident and secure in those major investments.

Could you provide an example of what Mimecast can do to, say, prevent a business email compromise attack on a customer that is using Office 365?

Bauer: There are two deployment mechanisms that we offer. One is that the customer will read their emails through us and we will interrogate and examine them before they get to their mailboxes.

We examine the emails through dozens of different techniques. For example, we look at the infrastructure where the emails come from or if someone is trying to imitate the display name of an employee in your organisation. We look at every URL in an email message and whether we know anything about them. We also tear email attachments apart to look for known and unknown malware. We’ve also got AI-driven models that can detect whether something has been generated by AI or malware-generative technologies. All of these things work together to clean up the stream of stuff before it gets sent to a mailbox.

The second deployment option is where the emails may not come to us first. They arrive at Microsoft, but we grab them before they show up in your mailbox. Then, we apply those techniques I mentioned in a kind of gateway-less or API-driven deployment option. We launched that at the end of last year in the UK and US, and it’ll be coming to APAC, continental Europe and South Africa in 2023.

Our strategy has been to address a broad set of use cases and reduce risk and complexity while increasingly exposing our value and understanding the role we play as part of a system of systems that companies are already using
Peter Bauer, Mimecast

What’s exciting about this deployment option is that it can be done in under four minutes. It can also look back at what has landed in your email environment. We’ve seen some very scary malware and scams finding their way into Microsoft mailboxes that you wouldn’t want to see. This has proven our theory that if you don’t add additional layers of security technology, you’re highly exposed.

We know email is a key threat vector, but sometimes it may just be one of many vectors employed by threat actors in a larger campaign. Against this backdrop, how should security architects think about email security?

Bauer: We see this fairly frequently, as threat actors could be using different communication channels. They could start off with a WhatsApp message and get people to believe they’re communicating with somebody inside the organisation. Or they may create and use a fake LinkedIn account masquerading as someone in a company to contact a victim with a request to download and send a resume to the HR department in same company. The victim, being helpful, downloads the resume, sticks it into an email and sends it out, bypassing all sorts of security controls.

With WhatsApp, Facebook and LinkedIn, you can manufacture an identity that can purport to be anything, and the human brain naturally wants to make the connection and stitches it together. This really brings us to that human component, and there isn’t a technology solution because we can’t lock up all those services.

We approach the problem in two ways. One is security awareness training, where we spend a lot of time, creativity and budget creating content to help people understand what real-world attacks look like and what the consequences could be. If you don’t understand the consequence of losing your personal information or your credentials, you might not care about it that much.

So, our content is really designed to help people see what happens after your personal information is stolen and what happens if you click on phishing links, or the wrong attachments, or release confidential information outside the organisation. We do it in a light-hearted and comedic way, so it creates engagement.

The second thing, as I briefly mentioned earlier, is that we help security professionals understand the risk profiles of individuals who work in a company, based not just on behaviours, but also their job titles. So, if you are responsible for payroll, you will have a higher risk profile than another person in manufacturing as you’ve got something more interesting for an adversary.

The third piece of it is if people see something suspicious, we provide mechanisms for them to report it because the human mind is quite clever. There are billions of pieces of communication moving around, and there’s no way we can rely on computers alone. If human beings spot something, we want to know, even though the majority of what people report is benign. But periodically, something may be of interest, and we need to block some of the characteristics of it for everyone.

I recently spoke to the CEO of Check Point Software about ChatGPT. He was talking about how such technologies can make it much easier for threat actors to craft the perfect phishing email. What are your thoughts on that, and what is Mimecast doing to help customers mitigate such threats?

Bauer: Historically, we’ve benefited from the fact that person-to-person targeted scams, which could be very effective, are expensive to create compared with a machine sending out 10,000 scam emails to harvest credentials 1% of people could fall for. With generative AI, software can be used to emulate a person-to-person attack more closely. It can learn what works and improve through lots of data from social environments and the vast number of breaches that have occurred.

It’s worrying, and there’s a whole new level of work that we all have to do, because we will not have the benefit of knowing 10,000 machine-generated scams and just five human-to-human scams. It could be 10,000 machine-generated human-to-human-like scams, and that can really start to pollute the workplace environment.

Twitter bots could start saying all sorts of things that seem even more plausible than the nonsense they spew out today. But in your digital workplace, you have an expectation that things are somehow protected and more trustworthy. If that balance tips, then we’re in a very bad place in terms of our ability to work together, because we largely work together online now, and we only periodically meet each other in an office or a meeting.

We’re very focused on going even deeper to understand generative AI technologies. It’s not good enough to just block something generated by ChatGPT because there’s also a lot of legitimate content. You have to be able to interpret things and look for meaning and intent. There’s still a lot of work that’s going to go into this, but we feel we have an advantage because we have so much history and reservoirs of data and context.

Read more on Hackers and cybercrime prevention