September 9, 2024 • 51 mins
In this episode of The Audit, we’re joined by Mick Leach from Abnormal to discuss the evolving landscape of email security and how AI is transforming both the threats and defenses in this space.
From QR code phishing to the rise of sophisticated AI-driven attacks, Mick shares insights on how organizations can stay ahead of these challenges, leveraging AI for good. We also touch on the latest trends in SaaS security and what the future of cybersecurity might look like.
We'll cover:
- The rise of AI-driven phishing attacks
- How CrowdStrike’s recent issues tie into broader security concerns
- The evolving role of security tools like Abnormal in email protection
- The growing threat of QR code phishing and how to mitigate it
- Insights on SaaS applications and their vulnerabilities
- Strategies for organizations to combat AI-generated threats
Stay ahead of emerging email threats and learn how AI can protect your organization by subscribing today!
#CyberSecurity #EmailSecurity #EmailCybersecurity #AI #Phishing #Quishing
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
Welcome to the Audit hosted by IT Audit Labs.
I'm your producer, joshuaSchmidt, we have Nick Mellom and
Eric Brown, and today we'rejoined by Mick Leach from
Abnormal.
How are you doing, mick?
I'm well.
Thanks, good to be here, guys.
Thanks for having me.
Absolutely Thanks for joiningus today.
We're going to jump right intoit with an icebreaker question
to get to know you a little bitbetter.
What was your favorite band?
Were you like a hair metal guyin the 80s, 90s?
(00:27):
Uh, were you a grunger?
Were you a hip-hop guy?
What was your favorite music?
Mick Leach (00:31):
oh man, so this is so embarrassing.
So I was a bit of a prep uh inschool and uh so preppy kid.
Uh was in the band, uh playedthe trumpet.
So not the coolest aspect of mylife.
I did go get shot at instead,uh, to make things later.
Eric Brown (00:47):
Yeah, yeah, it's kind of yeah, Balance that out
some.
Mick Leach (00:53):
Um.
But yeah, I probably DJ jazzyJeff and the fresh prince.
I was a big fan right, I was abig kind of rap guy, or at least
I fancied myself one.
That was the closest I couldpossibly get to being cool, love
it.
Nick Mellem (01:10):
How about you, nick ?
I gravitated like the rock andcountry.
I like both.
But I would have to say, backwhen I was younger I think I'm
still relatively young, but I'dhave to say Metallica.
I had the full door poster ofall the members on my on my door
when I you you know live withmy folks a long, long time ago,
so I'd have to go to go withmetallica eric, I'm dying to
(01:31):
hear yours, I know I go anydirection.
Eric Brown (01:34):
Yeah I was all over the place in high school.
I'd probably say rap likepublic enemy was was probably
the go-to.
But I had some pretty eclectictastes.
Like right away in college Ikind of switched to older, like
60s uh, r&b music like sam cook.
Um, now I listen to a lot ofjazz and just kind of chill on
sundays.
(01:54):
That's one of my favoritethings is just relaxing on
sunday morning with the uh, withthe record player, with some
some good jazz music I didn'tknow you were a vinyl guy.
Joshua Schmidt (02:04):
I'm gonna have to trade some vinyl, so we'll do
it.
I want to get in on thattrading.
Yeah, mine was smashingpumpkins.
Uh, it was big smashingpumpkins I still am still am,
although I haven't put outanything that I've been really
excited about in quite some time.
But uh, 1979 was one of myfavorites that's right, that's
still one of my favorites, butyeah, well, now that we get to
(02:25):
know each other all a little bitbetter, um, we'd love to hear
more about you, mick, and uh,kind of your background with
abnormal, how you got intoyou're doing some public
speaking now, I know, and you'reyou're doing are you doing
virtual cso work or are youdoing some sort of cso work as
well?
Mick Leach (02:39):
no, just so as a field cso, I go out and uh, a
lot.
So, as you mentioned, right,lots of webinars, lots of
presentations, industry stuff,you know just a lot of.
You know sharing, sharingthoughts and opinions, that kind
of thing in the security space,leveraging, you know, 20 plus
years in IT and security toshare thoughts and opinions on
(03:00):
where things are today and wherethey're going.
Joshua Schmidt (03:03):
Great and how did what kind of got your,
piqued your interest in that andgot you into the cybersecurity
world?
Mick Leach (03:09):
Yeah.
So I took a sort of eclectic,scenic route into not only IT
but cybersecurity in particular.
Out of high school I joined themilitary.
I was in the United States Armyfor nearly nine years and got
out and was able to parlay thatyou know, all of that exciting
(03:30):
stuff into a job in IT.
How that happened, I haveabsolutely no idea.
But started doing IT things fora little while and then an
opportunity came to join thesecurity operations team that
was starting up, and so this wasat a Fortune 100 insurance
company.
Once I got into that and did acouple of SANS courses, I
(03:51):
realized this is what I wasbuilt for right.
It combined my love and myexcitement for protecting others
from the military with thissort of digital aspect that I
enjoyed.
I was also a nerd, a geek, andloved building and tearing apart
computers, and so there wasthis beautiful convergence of
being able to both defend andremain technical at the same
(04:16):
time, and so I did that for awhile and then got an
opportunity to start buildingand leading security operations
teams at Fortune 500 companies.
And then, after doing that andprotecting other companies for a
good while, I realized youstart building and leading
security operations teams atFortune 500 companies.
And then, after doing that andprotecting other companies for a
good while, I realized I wantedto make a broader impact.
Right, I wanted to try and movethe needle on the industry.
Yes, it sounds, you know,idealistic, yes it's silly, but
(04:39):
I wanted to try and make theworld a safer place, and so I
knew there's a couple of waysyou can do that in our industry.
Right, you can join thegovernment and try and do things
that way.
The thing is it doesn't payvery well and I've got a big
family, so I realized I'm goingto probably need to stay in the
private sector, as it were.
(05:00):
And so I knew that the otherside of that is probably joining
a vendor or a service provider,and so I had a short other side
of that is probably joining avendor or a service provider,
and so I had a short list offolks that I really respected,
companies that I'd worked withover the years, where not only
was the tech super cool andworked, but the people were
really neat and I loved whatthey were doing.
(05:20):
You know, crowdstrike was inthat list Imperva there's a
handful of companies just doingsome really neat things, palo
Alto Networks, and one of themwas at the top and it was a
company called Abnormal Security.
It was an interesting company.
I'd bought and used theirsolution for about a year and a
half and it was awesome.
It changed the way that emailsecurity was being done and I
(05:44):
thought, man, if they would everhave a role doing what it is I
do, man, I would love to jointhat company.
And, lo and behold, a rolepopped up on their website.
I applied and next thing I knewI was working for the good guys
here.
The stars aligned.
Joshua Schmidt (06:00):
Yeah, yeah, I think Nick can relate to your
career trajectory there yeah, Iwas already thinking it.
Nick Mellem (06:07):
Yeah, I had.
Uh took the scenic route, asyou put it.
Uh was in the marine corps, uh,not quite nine years, but I did
four and got out.
But I think when I was in Iwould always you know, I was
when I was deployed or if wewere doing field operations, you
know I'd come back all sweatyand dirty and I'd see the it
guys in there.
I was like, well, these guysare they got some ac?
(06:29):
Yes, water.
Mick Leach (06:31):
I mean like so I get your connection dude, I was so
jealous of those guys sitting inthat like tonics or whatever
that air conditioning tonics.
Nick Mellem (06:39):
I'm over here, you know, chewing on dust you're
over in afghanistan with somemoon dust and you go back to the
CLC for a debrief and they'reall just.
I mean they're doing good work,but they're certainly nice and
cool and well hydrated.
Mick Leach (06:54):
I love it.
I love it.
Well, yeah.
So I joined Abnormal as thehead of security operations
initially and building out thatprogram.
And after about, oh man, almosttwo years of doing that or I
guess it was a little over twoyears they said you know, mick,
we'd love for you to do a littlebit more of the public speaking
stuff.
And I was like, guys, you'rekilling me.
(07:16):
I mean, I'm barely getting myOKRs met now doing because I'm,
you know, at the time, I'dtravel and I'd speak and then
I'd go back to my hotel room andI'd work for another six to 10
hours in the hotel room tryingto get all my actual daytime
work done.
And I was like, guys, I don'tknow, I don't know if I can do
(07:38):
more speaking and still get myjob done, my daily job.
And they said, well, what if we,what if we backfilled you, uh,
like your daytime stuff, andthen you would be freed up to do
more?
I was like, uh, is that anactual gig?
Like, what would that look like?
What would we even call that?
Tell me more, I know.
I was like I mean, I'm notopposed, I enjoy the speaking
(08:01):
and the traveling, but whatwould that?
You know what will we even callit?
And they said, well, we couldcall it field CISO.
And that was the first time I'dever heard the term.
I had to go Google it and I'vemet a few others of us and we
actually have a group now, agroup of field CISOs, where we
kind of share, you know, some ofthe challenges, some of the
successes, so that we cansharpen one another, and that
some of the challenges, some ofthe successes, uh, so that we
(08:22):
can sharpen one another and andthat's been super cool too.
But yeah, there for a minute Iwas like I'm not sure, so we
decided to do it started up and,uh, it's been almost a year now
in this role and just having ablast.
Joshua Schmidt (08:38):
That's cool.
We call Eric the flying CISOcause.
Eric's a pilot and a CISO aswell.
Eric Brown (08:42):
So yeah, yeah, and you know, I really do think
highly of Abnormal have used itin a few places and just the
nature of our work.
Sometimes we get dropped intosome pretty hectic situations.
I guess you could say you knowwhere a company is experiencing
(09:04):
challenges or maybe they need togo in a different direction and
unfortunately, most of the timeit's bad email security.
Most of the time they're usingMicrosoft's off the shelf
products which are terrible.
I don't think I'm tellinganybody anything, they don't
know, but I mean they're.
They're just awful.
Not only do they not work.
(09:26):
The problem with Microsoft'stools is you have that false
sense of security where they'vewrapped this into your licensing
and then you're expecting it towork.
But then when it doesn't workand you go and figure out, well,
why isn't it working?
It's like, oh, I didn't havethis setting turned on or this
slider wasn't in the right area,and you're like, well, shoot,
(09:47):
you know, we just had anexposure because we thought we
were protected.
Time after time I found theMicrosoft stack and they have a
few different iterations of thename from Exchange Online
Protection, I think now they'recalling it Defender for Office
365, plan 1 or Plan 2.
I think Plan 2 has a little bitmore of the synthetic testing
(10:09):
in it, but the product's all thesame.
It doesn't work and you needsomething else to help.
One of my favorite recentexamples with the Microsoft
stuff was Microsoft wouldclassify the email as either
(10:31):
suspicious or malicious andinstead of deleting the email
they put it into the user's junkfolder or deleted items.
And what do the users do?
Oh, a new email popped up inthis folder.
Yeah, it says deleted or junk,but I'm going to still go in and
see what it is and then clickon it and Bob's your uncle.
So it is really tough to changethat behavior in the user
(10:58):
culture change, change,education, all of that and it's
really tough to make thosechanges on the Microsoft side of
having it permanently deletethat item.
So you need a tool like anabnormal that's going to come in
and inspect that and use someintelligence around why it might
be a malicious email.
(11:20):
We see a ton of email threatsacross our different customers
and it seems all of the time themalicious actors are getting
more and more sophisticated withdomain impersonations.
Saw one the other day that wasimpersonating the delivery
service DSL, and they were.
(11:43):
It looked really legitimate.
But then when you actually goin and DHL sorry, when you go in
and actually look at it.
It was a domain coming out ofTurkey, but the email tools like
Abnormal were catching it andcategorizing it correctly.
What I wanted to ask you was, asyou were working at Abnormal,
(12:05):
maybe give us a look behind thescenes as to the technology and
you know, we can kind of kickaround the term AI but what I
think is the differentiator fromwith Abnormal is it's looking
at the email content and even ifthere's no URL, even if there's
(12:25):
no attachment, but the emailitself is trying to socially
engineer someone of you know,hey, the CEO fraud where you're
trying to get somebody to go outand buy some gift cards and
then email back the codes orwhatever.
It is Abnormal's picking up onthat and that's really hard to
(12:46):
do.
So I'd just love to hear moreabout how you're doing that and
where the industry is going asthese attacks get more
sophisticated.
Mick Leach (12:55):
Sure, sure, yeah.
So a couple of things to kindof unpack.
First, I know, as you weretalking about having users that
love to go dumpster diving intheir trash folder and go and
find things.
So there are two things thatused to drive me crazy about
email security solutions.
Number one is just that thatthe solution would either take a
(13:19):
malicious message and move itinto the trash and then just
hope that our users wouldn't goin there, but inevitably there's
always a dozen or there's ahandful of very inquisitive
users who can be problematic,but they love to go dumpster
diving, say oh, let me see ifthere's anything in here I
really wanted.
(13:39):
Why are you in your trash?
Right, it's almost like puttingrazor blades in the trash can
of a four year old.
Someone's going to get hurt?
Okay, and inevitably someonewould.
And then the second aspect isalmost worse is that they would
still deliver the message, butan add, a banner that we've all
(14:02):
become numb to and you don'teven see it any longer, but a
banner that basically says, hey,this could be malicious.
We're not sure, so we're goingto just deliver it and let you
figure it out.
Like I mean Marcy for marketing, who has absolutely no security
training whatsoever, we're nowgoing to leave it in her hands
(14:22):
to decide whatsoever.
We're now going to leave it inher hands to decide.
You know, even our actualmillion dollar technology could
not figure out whether it wasmalicious or not, so we're going
to leave it up to Marcy, or youknow, marty, or whoever for
marketing.
You know, this is what used todrive me crazy.
This is where we always gotourselves hurt, and so you know.
That's what I love aboutabnormal is that it's taken a
(14:44):
fundamentally different approachand it starts.
It starts in two ways, right.
First is the architecture isjust different, right?
Rather than trying to do like acastle wall and the moat being
on the perimeter and thenletting everything come in and
out of that one drawbridge gate,rather than doing that, they're
(15:07):
using an API architecture.
So as a SaaS solution, it sitscompletely outside of the tech
stack.
Now I remember the first time Ihad a POV with the co-founder of
the company.
Sanjay had come and had ameeting initially with me, and
then we did a POV, and as he wasexplaining this, I was like
(15:28):
wait, wait, wait, wait.
Are you telling me that he justsits on the side and evaluates,
kind of after the fact, I meanthis sounds horrible.
This almost sounds like an IDSfor my email.
That's like the worst thing Icould possibly imagine.
Can you imagine something beingmore noisy than that, good Lord
?
There's like the worst thing Icould possibly imagine.
Can you imagine something beingmore noisy than that?
Good Lord?
(15:48):
There's just no way.
And he said no, no, no, mick.
So just because we're using anAPI to see into the emails
doesn't mean that we can't alsoremediate.
We can just make an API calledmove things into a hidden folder
the user can't see.
And I was like, oh okay, well,that makes a little more sense.
(16:08):
And so, you know, we got intotalking about it.
But that architecture, that APIarchitecture it gives you so
much more visibility than youcould possibly get.
With a traditional secure emailgateway, for example, the
gateways can see north-southtraffic beautifully, everything
that passes through.
It's got that covered, greatThanks.
(16:30):
But what about all thateast-west internal-to-internal
traffic?
At most companies that's like70%.
80% of the email traffic isjust internal-to-internal.
Imagine buying a multi-milliondollar security solution and
then telling your leadershipyeah, this is great, it's really
good.
It can't see 70, 80% of ourtraffic, but the 20, 30% it can
(16:54):
see.
It's great, really happy withit.
I mean I would get murdered inmy bed at night if I told my
leadership that's how thisworked.
So you know it gives usunparalleled visibility.
The integration is trivialbecause it's all you know, it's
API driven.
You know you essentially set upthe credentials and you're in
business.
(17:15):
And the last aspect on thatarchitecture side of things is
the time to learn, right?
If you think about a seg, ithas to wait for enough messaging
to pass through its filter forit to learn.
That could be months beforeit's fully trained right.
Using an API, you can do a lookback in time and so now I can
(17:35):
look back, you know 30 days, 60days, and force feed all of that
data through my machinelearning models and now we're
training in hours and daysrather than weeks or months, so
that's super powerful.
On the detection logic side iswhat was more interesting to me.
(17:56):
For years, our security toolingeverything I've bought for years
has been asking what I thinknow is the wrong question.
It was asking the question isthis bad?
Well, the challenge with thatis that you have to have a good
definition of what bad lookslike right, so you have to
define evil, and that definitionis constantly changing.
(18:19):
It also means that someone hadto have gotten bit first and
then define that evil for therest of us to be protected.
It's like spotting the attackerthe first foray.
I'm not comfortable with that.
Neither are most professionals,I know.
So instead of asking thequestion is this bad, abnormal
(18:40):
is taking a different approachand saying is this good or is
this normal?
That's the right question, in myopinion, and the way you answer
that is by baselining yourenvironment and understanding
what normal looks like right.
Because of the way thatAbnormal is able to plug into
your environment, it can see notonly all of your email traffic,
(19:02):
which is great, but because ofthe way it plugs into the
Microsoft 365 stack now it cansee all of your Azure AD logs.
It can see your Teams notes,right, so it's getting so much
more data around who your usersare and how they work
information.
You can create kind of aprofile of each and every person
(19:24):
who they work with, how oftenthat is the times of days they
log in all of that no-transcript.
And now I can tell when it's nolonger Eric's hands on the
keyboard, even though, right,the past authentication, past
(19:45):
MFA, the login is good, butmaybe this isn't actually Eric
on the keyboard today and that'swhat's impressive calls out
(20:06):
that suspicious activity andwhere it really identifies that
you may have an active issuegoing on.
Eric Brown (20:08):
that that's helped this out a couple of times where
even in the, the demo mode ofabnormal, where you basically
bring it in and read only modeand it, it looks at the
environment and then starts tolearn, kind of that process that
you were talking about.
But I've seen it identifyissues that needed to be
(20:28):
resolved during that time frameand it's just kind of that proof
of value right there that youknow it's going to pay for
itself.
Mick Leach (20:37):
Yeah, yeah, you know , when I took a look at it,
sanjay, he'd said it could behooked up in under a minute.
And I mean, I'll be honest, I'ma little hurt, right, I don't
know what I think we're all.
We all have trust issues, whichis why we get into
cybersecurity in the first place.
But you know, I've heard lotsof vendors make these outrageous
(21:01):
claims before and I had had tokind of enough of it and I was
like there's no way.
There's no way that this takesunder a minute, that we're a
fortune 500 financial servicescompany.
Okay, I can't do anything inunder a minute.
I can't do anything in under aweek at this company, right,
it's just there's so much to do.
And so I was like that's,there's no way.
(21:23):
I'll bet you lunch today thatyou couldn't possibly hook this
up in under a minute.
And he was like all right deal.
So we brought, we brought the,the uh the admin in and he had
the right creds.
And, sure enough, sanjay,thankfully, is a very nice man
and he did not hold me to buyinglunch otherwise I would have
(21:44):
been, because it was.
It was like at that time, 30-35seconds, and it's even shorter
now, uh, to get it all hooked upand learning.
And I was like, all right, fine, you're right, you, you win.
It only took, you know, 30seconds to get it hooked up.
Uh, all right, show me the evil.
And all right, well, mick,let's give it a minute to bake
(22:04):
and let it learn and we'll giveyou a call.
And sure enough, like, a coupleof days later, he called me up
and he was like all right, mick,so listen, we've got your
report ready for you.
There's a lot here to unpack.
I was like what do you mean?
There's a lot here to to unpack.
I was like what do you?
What do you mean?
(22:24):
There's a a lot to unpack here.
I, I have a great tech stack.
I was like offended.
I mean I'd spent three yearsand millions of dollars building
the tech stack of my dreams,and so for him to say that there
was a lot there to consume.
I was like, well, hang on now,like and he goes yeah, we'll
actually get to that in a minute, but we do want to call your
attention to one thing inparticular.
You have a threat actor that'scorresponding with one of your
(22:48):
hr.
Business people live right nowand we think maybe you should
get involved.
I was like, wait what?
And uh, sure enough, we.
I found the email that he wastalking about and, yep, there
was a threat actor who claimedto be one of our associates.
I'm kidding, yeah, oh yeah.
They found him one of ourhigh-paced associates, based at
(23:10):
least on title on LinkedIn, andthen cross-referenced that with
Instagram, saw that they wereposting pictures from Cabo
having a wonderful time onvacation with their family, and
then created their first dotlast name at gmailcom Apparently
they hadn't done that yet andnow never can and sent an email
(23:34):
to HR and said hey, just havinga wonderful time on vacation.
Thanks for asking.
That's why I'm sending thisfrom my personal account,
because I don't have access tomy corporate account, of course,
but I just remembered I changedbanks at the beginning of the
month and that hotel bill's comeand due, so if you could just
fix that up for me, I'd be verygrateful.
And, to her credit, god loveher.
(23:55):
She said no, you didn't fillout the right form.
It's attached for yourconvenience.
Oh so it will not surprise youthat that threat actor filled
out that form better thananybody in the history of that
company and she was preparing tomake the change when we caught
(24:17):
it and, uh, so we were able tovery quickly step in and get
that squared away.
But there were, there were lotsand lots of things.
I will tell you.
I was horrified at the amountof threats that were quietly
slipping through my tech stackat the time.
I mean, with email, if yourusers don't complain and your
tools don't catch it, you willnever know.
(24:39):
Right, like you know, many ofmy users were quietly thankfully
quietly ignoring a lot of the,you know, social engineering
attempts, the phishing attemptsthat were coming through.
Then a few, as we learned, werequietly interacting with them
and you know, paying bills,fraudulent bills, or buying gift
(25:00):
cards because they thoughtsomeone in leadership wanted
them to like.
Come on, think that through.
Like, the ceo does not need youto go buy some gift cards.
Nick Mellem (25:10):
At best buy or whatever and scratch the back
off and then send a picture ofit and do all these crazy things
but they do it because it works.
Mick Leach (25:19):
It does work, it does work, and it's the reason
I'm so passionate aboutcybersecurity as a whole.
I've had a family member mywife's grandparents fell victim
to a very, very lucrative forthe threat actor social
engineering attack, and theywere able to drain their bank
(25:40):
accounts out, and, you know, itreally hurt them, and so I've
seen this firsthand, even in myown family, and I know I'm not
the only one.
I speak with folks all over thecountry and they have had
similar things happen.
So that's that's the reason Ilove my work.
I love the fact that I get to,you know, move the needle on the
(26:00):
industry and try and make theworld a better place.
Nick Mellem (26:03):
Have you maybe kind of a random question, but it's
still attached to this have youseen the movie Beekeeper?
Mick Leach (26:09):
That's like my dream scenario, right?
I mean, yeah, I would love forsomeone, not me.
Nick Mellem (26:18):
You might have the credentials.
Mick Leach (26:19):
To do that.
Well, yeah, maybe not like that.
Nick Mellem (26:23):
No, the movie fit along and I obviously wanted to
tie that in there because youbrought up your wife's
grandparents, I think it was.
Yeah, it's really clear.
You can tell the passion thatyou have just by talking.
You know how you havethroughout the show so far.
You know we're talking aboutsome trends.
Are you able to get into that alittle bit more Like what you
(26:44):
guys are seeing?
You know maybe what trends arehappening now or what you've
seen maybe in the past year.
You know whether you know wehad the Olympics starting.
Now we had the episode ofCrowdStrike last week.
You know, have you seen newtrends come up?
Mick Leach (26:56):
Maybe if you could just share some of your insight
there, yeah, what we've learned,and what I've learned since my
since just in my time here atAbnormal, is that threat actors
will never waste a major crisis.
Right, you know, during thepandemic they were, they were
snapping up domains and creatingall kinds of things so that you
could register and get your,you know, your refund or
(27:19):
whatever.
We were supposed to get therefor a minute.
And the most recent stuff is nodifferent the Paris Olympics.
There's lots and lots of socialengineering, phishing attempts
out there trying to convince youto go to a website that looks
like it could be legit andinteract with it, maybe log in,
(27:40):
that sort of thing.
They're going to collect yourcredentials and then start
logging in to your corporatesystem.
I mean not that any of us oranybody listening would ever
reuse a password, but there arethose, I'm told, that do that
and so that becomes a problemwith credential harvesting.
(28:02):
And the CrowdStrike one was nodifferent.
Um, you know we've.
We saw right away, even onFriday.
So it happened on Friday.
Even on Friday, we saw reportsuh from research, threat
researchers on on uh, twittersorry X now uh that were coming
up showing that threat actorswere registering brand new
domains that looked likeCrowdStrike, fixcom, you know,
(28:26):
crowdstrike dash outage,crowdstrike dash BSODcom all of
these different fraudulent URLsso that they could stand up
websites that look legit andthen start sending out those
phishing emails that willultimately harvest credentials.
So that's kind of the biggestthing we've seen in terms of new
(28:50):
threat vectors that areconstantly coming out.
A couple other big ones thatwe've seen lately.
They've been occurring for alittle while now but are not
going to get better.
They're going to continue toget worse.
Number one is like QR codephishing.
Right, this one, this one'snasty, um, because, and and for
(29:12):
a reason many people don't thinkabout it's it's largely because
if someone sent you a QR code,an email with a QR code in it to
your corporate email, how areyou going to scan that QR code?
Eric Brown (29:27):
You're going to use your personal phone and break
out of the corporate walledgarden.
Mick Leach (29:31):
Absolutely.
That's exactly what you'regoing to do.
Everybody does the same thingthey pick up their phone, they
point it at the screen, and nowyou are sidestepping your entire
tech stack.
Brilliant at the screen, andnow you are sidestepping your
entire tech stack multi-milliondollar tech stack.
We've got all these things toprotect our users, and now
they've convinced them to usesomething else, and now they're
going to be logging in usingtheir corporate credentials,
(29:53):
thinking they're doing the rightthing.
But now we don't have anylogging, we don't have any
alerting, we don't have anydefense capability, and so that
one's particularly nasty forthat reason.
Nick Mellem (30:04):
Well, Josh does love the QR code menus at the
restaurants.
Mick Leach (30:08):
Right.
Nick Mellem (30:08):
Yep.
Mick Leach (30:09):
Yeah, I mean, let's be honest, it's almost like the
pandemic had been training usfor three years how to choose.
Yeah, all of us Because wecouldn't touch anything.
It's now you know, everywhereyou go there's a QR code.
I went to an event lastNovember in Columbus Ohio.
I live a little bit north ofColumbus Ohio and I was down.
(30:31):
That's like my backyard, thishometown for me.
I went to an event there andhad to park and went to shoot,
because now even the parkingmeters use a QR code that you
shoot and then you interact, youpay online, basically.
And I was getting ready toshoot the QR code and I noticed
it was curling up at the edgesand I thought, well, what is
(30:54):
that all about?
And started to unpeel it.
The actual QR code wasunderneath and so I shot that
one, just because I'm a securityguy, right, and I'm a geek and
I'm curious.
That's why we all get into thisand are good at it.
So I looked into it and, yeah,it went to a fraudulent website
(31:16):
that looked as I mean, I didn'tknow what the real one should
look like, so that one wasn'tyou, you wouldn't have caught it
.
Nope, would not have caught it.
I have no idea how much thatthey they could have cleared
with that, you know.
So those, the QR code ones, areparticularly nasty because
they're everywhere.
And even, you know, even folkslike my grandparents have now
(31:37):
been trained through thepandemic.
Right, they never, they didn'tknow how to work you know a
smartphone.
Now they're shooting QR codesall over the place because the
pandemic taught them how.
Nick Mellem (31:47):
Yeah, they're on commercials on TVs, now you know
yeah.
Joshua Schmidt (31:51):
Yeah, outside of buses.
Would that be called quishingit?
Mick Leach (31:55):
is, it is, and I hate that phrase and I have
words saying it.
I can't say it without feelingnauseous.
Quishing, kishing, I don't know.
Joshua Schmidt (32:05):
I'm just curious .
We just talked about the QRcode phishing or quishing,
whatever you want to call it.
Have you seen any other uniquethreats emerge?
It almost seems like thetraditional keyword search is a
little outdated, although itprobably blocks a good portion
of malicious emails and probablystill useful to some degree.
(32:26):
Maybe you can speak to that,but have you seen any other
trends besides the QR phishingthat have been popping up?
That might be interesting.
Mick Leach (32:35):
Sure, yeah, let me give you two more, then, because
the one you just brought upreminded me of a short story and
I promise I'll try and keepthis short At my last gig,
talking about different kinds ofattacks.
The keyword searches is what wehad in my secure email gateway
at the time and it was good.
It did a good job.
(32:55):
It caught things like, you know, bitcoin and kind of the stuff
you would expect, but I had asextortion campaign roll through
.
This was ultimately what droveme to look for something else,
where I ultimately foundabnormal, and in this particular
one, I had an enterprisingthreat actor who had taken a
(33:16):
screenshot of the extortionnotes that you know.
If you've not seen these, theypurport to have, uh, turned on
your webcam while you weresurfing pornography on your
corporate computer.
Because who doesn't do that, uh, you know, just on the daily?
You would be surprised.
Well, it's funny.
You would say that because youknow.
(33:37):
Yes, so we sent this out.
The thing was because it was apicture, right, the resulting
jpeg file was not malicious inany way.
He pasted that in as the bodyof the message and, like my seg,
couldn't read the words in thepicture, so it sailed right
through all of my security stackand started causing quite a
(33:58):
stir.
When it landed in my user'sinbox, I started getting these
weird phone calls like Mick, doyou know how to open a Bitcoin
wallet?
Nick Mellem (34:07):
I was like oh boy.
Mick Leach (34:09):
Well, you know what?
I don't even want to know, yeah.
Eric Brown (34:13):
I don't know.
Mick Leach (34:16):
At any rate, it's those kinds of things that short
circuit many of the traditionalsecurity controls we've been
using for years and I had neverseen one like that.
And that was one of the firstthings I brought up to.
Abnormal, when I sat down withSanjay, was like, hey, here's a
recent example, could you havecaught this?
And he said, oh yeah, it waslike, tell me more.
(34:37):
And he said, well, we use, weuse a machine learning model
called computer vision.
That's uh, it's kind of likeOCR's big brother, right,
optical character recognition.
It's kind of like it's bigbrother.
So it can even it can look atthe message body, regardless of
whether it's text or it's animage or a QR code, for example,
(34:59):
and so that's how they're ableto identify and ultimately
resolve a DNS entry for a QRcode or read the words in a
picture.
And I was like, well, hot dog,this is pretty darn neat.
And it worked.
I never saw another one againafter I plugged Abnormal in.
So good, good stuff.
(35:20):
The second thing that I wasgoing to tell you is really
around AI, generative AI.
This will not surprise any ofus here on the phone, but it has
absolutely lowered the bar ofentry for threat actors to
attack folks today.
For threat actors to attackfolks today.
You know, folks that couldn'tcraft a coherent English
(35:40):
sentence yesterday can now writebetter than my 10th grade
English teacher, mrs Fox, andthat's saying something.
If you're out there, Mrs Fox,still remember you.
I'll turn it in tomorrow, Ipromise.
But that's the kind of stuffthat you know we're dealing with
today and it's not necessarilythat it's more sophisticated
(36:03):
than we would ever see withspear phishing.
But the volume is such Becausenow, instead of it would take 20
, 30, 40 minutes to craft a good, realistic spear phishing
message.
40 minutes to craft a good,realistic, you know spear
phishing message Now using, youknow, generative AI, whether
(36:24):
it's ChatGPT or Gemini.
Pick your favorite flavor, thenyou can craft these ad nauseum.
Right, you can automate that.
You can even automate it towhere it'll find victims on
LinkedIn.
We will automatically scrapepublic websites like Instagram
and Facebook.
You know, whatever you're into,it can learn and then craft a
very realistic looking messagethat you will almost undoubtedly
(36:47):
click on, because it knows whatyou're into.
And so that's what makes itreally hard, because a lot of
the traditional things that wenot only our solutions have been
looking for for years, but whatwe've been training our users
to watch for things like clunkygrammar or misspellings or a
sense of urgency.
They're trying to convince youto do something fast.
(37:09):
Many cases, those aren't there.
And then, if you think aboutour tech, it's been looking for
signals or signature-baseddetection.
It's been looking for some sortof definition of evil.
So is there a known maliciousURL?
What about a known maliciousattachment?
Or what about a bad sender?
(37:30):
The sender has a history ofdoing this.
Those are the things that it'sbeen looking for for years and
years that simply aren't presentanymore.
Eric Brown (37:39):
One of those that I recently came across with
Abnormal was the newly minteddomains.
There's zero reason why adomain registered yesterday is
going to send me anything that'slegitimate, but being able to
categorize that and filter thatout hugely important from a
(38:00):
security posture standpoint.
Mick Leach (38:02):
Yeah, absolutely.
Those are some of the keythings that we take into account
, and a lot of other securitysolutions are doing that today
too as well.
There's lots of good SEGs onthe market that are doing that.
I think where abnormal is alittle bit different, is it not
only goes beyond just analyzingthe headers?
Right, Is this domain stood uprecently?
(38:25):
Where did it originate from?
These kinds of things?
But it'll actually go furtherand say have I ever received an
email from this person?
Because they're purporting tobe somebody I work with.
They're trying to get me to payan invoice.
Have I ever worked with them?
Have I ever received an emailfrom them?
If I have, did it alwaysoriginate from Amsterdam?
(38:48):
Because that seems unusual.
Most of the vendors I work withare here in the States, and so
it can even look at thosemismatches of yes, you work with
this person, but thatorigination is actually from
Amsterdam and it's never comefrom there before.
So these are the kinds of it'smore like behavioral data
(39:11):
science and data analytics thatallows abnormal to catch things
that nothing else simply cantoday.
Eric Brown (39:19):
I've got one for Josh.
Josh, what do you call amalicious link embedded in a
Word document that's wishing?
Joshua Schmidt (39:33):
I think you secretly enjoy these ishings.
I do.
Eric Brown (39:40):
So, mick, with Abnormal right, all of
Abnormal's eggs, so to speak,are in really largely one basket
.
I know there's some ancillarywork around Slack and Teams and
things like that, but a majorityof security is related to email
(40:00):
security, and that's a hugething.
I mean, email security is thenumber one and two issues of
security pretty much anyorganization you work with.
If we go into work with anorganization, we ask them what
email filtering tools do youhave?
And they don't have anythingbut the incumbent tool that
(40:20):
comes with the email suite thatthey've purchased.
That's a red flag of OK from amaturity perspective.
They really want to get betterat email security.
(40:41):
Coming off of this CrowdStrikedebacle, they could very well
say, hey, we want to get betterat endpoint security and they
could make a large investment inemail security and get really
good at it quickly.
Or buy a company like anabnormal that is already good at
(41:01):
it and integrate that intotheir ecosystem and then all of
these secure email gateways orother API integration security
tools would essentially themarket would disappear overnight
.
Do you worry about that, orwhat are some of the thoughts
that you have around beingmyopically focused on one
(41:23):
particular domain of informationsecurity?
Mick Leach (41:27):
So I'm so glad you brought that up because that's
exactly what I asked when Iinterviewed with Sanjay,
co-founder of the company,before I joined the company, and
we had a good interview.
But he got to a point towardsthe end he said, Mick, I want
you to go ahead and ask me thehardest questions you have.
And I was like, OK, I mean, areyou serious?
(41:48):
And he said yeah.
I said all right, Well, looknot to hurt feelings.
But I mean you have a greatproduct, but it's in a niche
area Like what's the plan?
Is the plan to get bought?
Is it to to?
I mean, what?
What are you going to do?
And he said that was the rightquestion.
And he said let me show you the.
(42:09):
You know the roadmap.
And I said, ah, I've seen theroadmap every quarter in my, in
my QBR for the last, for thelast year and a half.
I know your roadmap really well.
He said no, no, no, this is theroadmap and he showed it to me.
He said this is the roadmapyou've seen as a customer Now,
because you've signed an NDA aspart of this interview, here's
(42:31):
the roadmap that we really wantto tackle.
And I remember looking at itwith my eyes just like dinner
plate, and I was like are youserious, Are you really going to
try and tackle all of this?
And he said yep.
I said all right, well then,I'm in, I want to be a part of
what you want to do.
So, um, you know, even and I'vebeen here almost almost three
(42:54):
years it'll be three years inlike three, three weeks so I've
been here nearly three years andeven three years ago, they had
a long-term plan for the areasthat they really wanted to
tackle.
It's so much more than email,if you want to think of it that
way.
We're, we're an AI companywhose first foray, like our
(43:15):
first act, was email, butthere's more coming and you've
seen that with.
So last year at RSA, so in 2023,that's when they released you,
Eric, you alluded to it, right,that same detection, like
anomaly detection, that we'redoing for email, we released for
(43:36):
Teams and Slack and Zoom.
So, because we saw thatattackers, once they were
compromising an account, theyweren't even sending emails many
times, at least not internallybecause we've all done a good
job as security professionals,training our users to be very
wary with email, we have notdone as good a job, if I'm
honest, myself included, ofteaching them to bring that same
(43:59):
rigor to things like Teams andZoom and Slack chat programs.
They just think well, that'sBill.
I talk to Bill every day.
It may not be Bill today, sothat's what's important there.
But then this year at RSA, weannounced some new integrations.
(44:20):
So we're integrating with Ithink it's 12, yeah, 12 major
SaaS applications, things likeWorkday and DocuSign, ServiceNow
, Zendesk, right, A lot of theseenterprise applications uh,
salesforce is another big one um, a lot of these sas
(44:41):
applications are awesome, superpowerful, but because they sit
outside of your tech stack, thelogging doesn't always make it
back into your sim.
And even if it does, we just maynot have the breadth of of
understanding and the breadth oflogging to understand anomalous
activity, especially as it dotsacross several of these
(45:04):
different applications.
Right, what happens if someonecompromises a workday account?
They log in.
If you're using SSO, great,that's best practice.
Sso, great, that's bestpractice.
But you could still, especiallyif the account has been
compromised the SSO would justnote that there was a valid
login right to this application.
(45:27):
But now they're bouncing aroundin that application, they move
to another application, right,and so with all these disparate
things, you may not be able tolink it all together to
understand that there'ssomething actually malicious
happening, and so that'ssomething that we're really
tackling as we go forward.
So we're calling this universalaccount compromise or universal
(45:48):
account takeover protection.
So it's universal ATO is whatwe're calling it, and so it's
the same account takeoverdetection logic that we're
applying in your Microsoft 365stack today.
We're applying that same logicinto all of these different SaaS
applications.
So we're going to deliver thathere in the next couple of
months and we're going to rollit out with 12 applications,
(46:12):
initially SaaS apps, but we wantto get to as many as 80 by the
end of the year.
Eric Brown (46:19):
That's great, congratulations, yeah.
Mick Leach (46:21):
Yeah, it's an exciting time to be here, and
these are the things that I sawthree years ago, basically on a
napkin.
It might as well have been andit wasn't a napkin, it was a
spreadsheet, but it might aswell have been but these were
the aspirational things that Isaw three years ago that made me
desperately want to come hereand be a part of what they're
(46:44):
doing and I think with therecent governance coming out of
the EU, with how they'retreating enterprise chat
programs like Slack and Teamsand they made Microsoft pull
Teams out from a purchasingstandpoint has to stand on its
own now from an anti-competitionstandpoint.
Eric Brown (47:06):
Hopefully the same thing will happen with point
solutions like email security.
And if you want Defender forOffice 365 P1 or P2, it will
have to stand up against theSEGs and the tools like Abnormal
and be priced and compete withthem directly, versus the
(47:27):
account rep just saying, oh no,that's bundled into your E5
subscription.
You already get that, it's free.
And I think if they do have tocompete with their security
products, we'll see even betterproducts coming out of the
industry because there'll be aton more money coming in from an
(47:49):
investment standpoint Becausethose office tools just can't
stand up right.
It'd be like if somebody wasstanding up their own Word
program that wasn't open source.
It'd be really hard to competeagainst Microsoft.
But that's where the maturityis for Microsoft from a security
tool perspective and it'sreally great to see companies
(48:10):
like Abnormal come onto thescene with this innovation
coming out of left field toreally help with these areas
where we just see so manythreats coming in on a daily
basis.
Mick Leach (48:23):
Yeah, absolutely.
Joshua Schmidt (48:24):
To kind of sum it up, this might be an absurdly
big question, but what do yousee as the biggest threat to
email security today, Mick, andmaybe Eric, you?
Nick Mellem (48:33):
can chime in on this?
I was going to go ahead.
Go on a minute, yeah.
But you know, and can chime inon this, I was going to go ahead
, yeah.
Joshua Schmidt (48:37):
But you know, and just piggyback on that, what
do teams or cybersecurityprofessionals, what should we be
doing to stay on top ofemerging threats?
Because there's people that weoften say you know, if these
threat actors would just put allthis ingenuity into you know
altruistic virtue, you knowventures, it might actually make
(48:58):
the world a better place, butwe're constantly up against
people using their creativityfor nefarious reasons.
So, in your opinion, can youspeak to that and what it's
going to look like, maybe fiveyears down the road?
Sure, yeah.
Mick Leach (49:11):
So I think that AI continues to be the biggest
threat towards email inparticular.
I continue to see on I mean,every single day as it matures,
it gets better and better.
And so the idea that threatactors can now automate and send
(49:34):
just 10x of what they evercould before with some
rudimentary Python script orwhatever that they might have
been using in the past to createthese fraudulent emails, these
phishing messages going out.
That's kind of where I see thebiggest problem going in the
(49:55):
future, and so defending againstAI is really hard, and that's
where I think we, as securityprofessionals, need to be
harnessing that same power of AI, so using AI for good to defend
against the use of AI for bad.
So I think that's going to bemore and more pivotal going
(50:15):
forward, and not just in email,but in all of our solutions.
You know, you think about theway.
What is ML great at?
You know it's great atconsuming just a ton of data and
then finding that sort ofthread of truth that runs
through it all.
Joshua Schmidt (50:32):
We'll leave it there.
Well, thanks, Mick, for joiningus today.
Once again, you've beenlistening to the Audit presented
by IT Audit Labs.
I'm your producer, JoshuaSchmidt.
You've been joined today byNick Mellum and Eric Brown and
our guest Mick Leach fromAbnormal.
You can find us on all thestreaming services.
We have new episodes everyother Monday.
Find us on Spotify, Apple Music.
Please like, share andsubscribe and tell your friends,
(50:53):
and we hope to see you soon.
Eric Brown (50:57):
You subscribe and tell your friends and we hope to
see you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, or our security control
assessments rank the level ofmaturity relative to the size of
(51:19):
your organization, thanks toour devoted listeners and
followers, as well as ourproducer, joshua J Schmidt, and
our audio video editor, cameronHill.
Topics by giving us a like anda follow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(51:44):
source your security content.
Welcome to the Audit hosted by IT Audit Labs.
I'm your producer, joshuaSchmidt, we have Nick Mellom and
Eric Brown, and today we'rejoined by Mick Leach from
Abnormal.
How are you doing, mick?
I'm well.
Thanks, good to be here, guys.
Thanks for having me.
Absolutely Thanks for joiningus today.
We're going to jump right intoit with an icebreaker question
to get to know you a little bitbetter.
What was your favorite band?
Were you like a hair metal guyin the 80s, 90s?
(00:27):
Uh, were you a grunger?
Were you a hip-hop guy?
What was your favorite music?
Mick Leach (00:31):
oh man, so this is so embarrassing.
So I was a bit of a prep uh inschool and uh so preppy kid.
Uh was in the band, uh playedthe trumpet.
So not the coolest aspect of mylife.
I did go get shot at instead,uh, to make things later.
Eric Brown (00:47):
Yeah, yeah, it's kind of yeah, Balance that out
some.
Mick Leach (00:53):
Um.
But yeah, I probably DJ jazzyJeff and the fresh prince.
I was a big fan right, I was abig kind of rap guy, or at least
I fancied myself one.
That was the closest I couldpossibly get to being cool, love
it.
Nick Mellem (01:10):
How about you, nick ?
I gravitated like the rock andcountry.
I like both.
But I would have to say, backwhen I was younger I think I'm
still relatively young, but I'dhave to say Metallica.
I had the full door poster ofall the members on my on my door
when I you you know live withmy folks a long, long time ago,
so I'd have to go to go withmetallica eric, I'm dying to
(01:31):
hear yours, I know I go anydirection.
Eric Brown (01:34):
Yeah I was all over the place in high school.
I'd probably say rap likepublic enemy was was probably
the go-to.
But I had some pretty eclectictastes.
Like right away in college Ikind of switched to older, like
60s uh, r&b music like sam cook.
Um, now I listen to a lot ofjazz and just kind of chill on
sundays.
(01:54):
That's one of my favoritethings is just relaxing on
sunday morning with the uh, withthe record player, with some
some good jazz music I didn'tknow you were a vinyl guy.
Joshua Schmidt (02:04):
I'm gonna have to trade some vinyl, so we'll do
it.
I want to get in on thattrading.
Yeah, mine was smashingpumpkins.
Uh, it was big smashingpumpkins I still am still am,
although I haven't put outanything that I've been really
excited about in quite some time.
But uh, 1979 was one of myfavorites that's right, that's
still one of my favorites, butyeah, well, now that we get to
(02:25):
know each other all a little bitbetter, um, we'd love to hear
more about you, mick, and uh,kind of your background with
abnormal, how you got intoyou're doing some public
speaking now, I know, and you'reyou're doing are you doing
virtual cso work or are youdoing some sort of cso work as
well?
Mick Leach (02:39):
no, just so as a field cso, I go out and uh, a
lot.
So, as you mentioned, right,lots of webinars, lots of
presentations, industry stuff,you know just a lot of.
You know sharing, sharingthoughts and opinions, that kind
of thing in the security space,leveraging, you know, 20 plus
years in IT and security toshare thoughts and opinions on
(03:00):
where things are today and wherethey're going.
Joshua Schmidt (03:03):
Great and how did what kind of got your,
piqued your interest in that andgot you into the cybersecurity
world?
Mick Leach (03:09):
Yeah.
So I took a sort of eclectic,scenic route into not only IT
but cybersecurity in particular.
Out of high school I joined themilitary.
I was in the United States Armyfor nearly nine years and got
out and was able to parlay thatyou know, all of that exciting
(03:30):
stuff into a job in IT.
How that happened, I haveabsolutely no idea.
But started doing IT things fora little while and then an
opportunity came to join thesecurity operations team that
was starting up, and so this wasat a Fortune 100 insurance
company.
Once I got into that and did acouple of SANS courses, I
(03:51):
realized this is what I wasbuilt for right.
It combined my love and myexcitement for protecting others
from the military with thissort of digital aspect that I
enjoyed.
I was also a nerd, a geek, andloved building and tearing apart
computers, and so there wasthis beautiful convergence of
being able to both defend andremain technical at the same
(04:16):
time, and so I did that for awhile and then got an
opportunity to start buildingand leading security operations
teams at Fortune 500 companies.
And then, after doing that andprotecting other companies for a
good while, I realized youstart building and leading
security operations teams atFortune 500 companies.
And then, after doing that andprotecting other companies for a
good while, I realized I wantedto make a broader impact.
Right, I wanted to try and movethe needle on the industry.
Yes, it sounds, you know,idealistic, yes it's silly, but
(04:39):
I wanted to try and make theworld a safer place, and so I
knew there's a couple of waysyou can do that in our industry.
Right, you can join thegovernment and try and do things
that way.
The thing is it doesn't payvery well and I've got a big
family, so I realized I'm goingto probably need to stay in the
private sector, as it were.
(05:00):
And so I knew that the otherside of that is probably joining
a vendor or a service provider,and so I had a short other side
of that is probably joining avendor or a service provider,
and so I had a short list offolks that I really respected,
companies that I'd worked withover the years, where not only
was the tech super cool andworked, but the people were
really neat and I loved whatthey were doing.
(05:20):
You know, crowdstrike was inthat list Imperva there's a
handful of companies just doingsome really neat things, palo
Alto Networks, and one of themwas at the top and it was a
company called Abnormal Security.
It was an interesting company.
I'd bought and used theirsolution for about a year and a
half and it was awesome.
It changed the way that emailsecurity was being done and I
(05:44):
thought, man, if they would everhave a role doing what it is I
do, man, I would love to jointhat company.
And, lo and behold, a rolepopped up on their website.
I applied and next thing I knewI was working for the good guys
here.
The stars aligned.
Joshua Schmidt (06:00):
Yeah, yeah, I think Nick can relate to your
career trajectory there yeah, Iwas already thinking it.
Nick Mellem (06:07):
Yeah, I had.
Uh took the scenic route, asyou put it.
Uh was in the marine corps, uh,not quite nine years, but I did
four and got out.
But I think when I was in Iwould always you know, I was
when I was deployed or if wewere doing field operations, you
know I'd come back all sweatyand dirty and I'd see the it
guys in there.
I was like, well, these guysare they got some ac?
(06:29):
Yes, water.
Mick Leach (06:31):
I mean like so I get your connection dude, I was so
jealous of those guys sitting inthat like tonics or whatever
that air conditioning tonics.
Nick Mellem (06:39):
I'm over here, you know, chewing on dust you're
over in afghanistan with somemoon dust and you go back to the
CLC for a debrief and they'reall just.
I mean they're doing good work,but they're certainly nice and
cool and well hydrated.
Mick Leach (06:54):
I love it.
I love it.
Well, yeah.
So I joined Abnormal as thehead of security operations
initially and building out thatprogram.
And after about, oh man, almosttwo years of doing that or I
guess it was a little over twoyears they said you know, mick,
we'd love for you to do a littlebit more of the public speaking
stuff.
And I was like, guys, you'rekilling me.
(07:16):
I mean, I'm barely getting myOKRs met now doing because I'm,
you know, at the time, I'dtravel and I'd speak and then
I'd go back to my hotel room andI'd work for another six to 10
hours in the hotel room tryingto get all my actual daytime
work done.
And I was like, guys, I don'tknow, I don't know if I can do
(07:38):
more speaking and still get myjob done, my daily job.
And they said, well, what if we,what if we backfilled you, uh,
like your daytime stuff, andthen you would be freed up to do
more?
I was like, uh, is that anactual gig?
Like, what would that look like?
What would we even call that?
Tell me more, I know.
I was like I mean, I'm notopposed, I enjoy the speaking
(08:01):
and the traveling, but whatwould that?
You know what will we even callit?
And they said, well, we couldcall it field CISO.
And that was the first time I'dever heard the term.
I had to go Google it and I'vemet a few others of us and we
actually have a group now, agroup of field CISOs, where we
kind of share, you know, some ofthe challenges, some of the
successes, so that we cansharpen one another, and that
some of the challenges, some ofthe successes, uh, so that we
(08:22):
can sharpen one another and andthat's been super cool too.
But yeah, there for a minute Iwas like I'm not sure, so we
decided to do it started up and,uh, it's been almost a year now
in this role and just having ablast.
Joshua Schmidt (08:38):
That's cool.
We call Eric the flying CISOcause.
Eric's a pilot and a CISO aswell.
Eric Brown (08:42):
So yeah, yeah, and you know, I really do think
highly of Abnormal have used itin a few places and just the
nature of our work.
Sometimes we get dropped intosome pretty hectic situations.
I guess you could say you knowwhere a company is experiencing
(09:04):
challenges or maybe they need togo in a different direction and
unfortunately, most of the timeit's bad email security.
Most of the time they're usingMicrosoft's off the shelf
products which are terrible.
I don't think I'm tellinganybody anything, they don't
know, but I mean they're.
They're just awful.
Not only do they not work.
(09:26):
The problem with Microsoft'stools is you have that false
sense of security where they'vewrapped this into your licensing
and then you're expecting it towork.
But then when it doesn't workand you go and figure out, well,
why isn't it working?
It's like, oh, I didn't havethis setting turned on or this
slider wasn't in the right area,and you're like, well, shoot,
(09:47):
you know, we just had anexposure because we thought we
were protected.
Time after time I found theMicrosoft stack and they have a
few different iterations of thename from Exchange Online
Protection, I think now they'recalling it Defender for Office
365, plan 1 or Plan 2.
I think Plan 2 has a little bitmore of the synthetic testing
(10:09):
in it, but the product's all thesame.
It doesn't work and you needsomething else to help.
One of my favorite recentexamples with the Microsoft
stuff was Microsoft wouldclassify the email as either
(10:31):
suspicious or malicious andinstead of deleting the email
they put it into the user's junkfolder or deleted items.
And what do the users do?
Oh, a new email popped up inthis folder.
Yeah, it says deleted or junk,but I'm going to still go in and
see what it is and then clickon it and Bob's your uncle.
So it is really tough to changethat behavior in the user
(10:58):
culture change, change,education, all of that and it's
really tough to make thosechanges on the Microsoft side of
having it permanently deletethat item.
So you need a tool like anabnormal that's going to come in
and inspect that and use someintelligence around why it might
be a malicious email.
(11:20):
We see a ton of email threatsacross our different customers
and it seems all of the time themalicious actors are getting
more and more sophisticated withdomain impersonations.
Saw one the other day that wasimpersonating the delivery
service DSL, and they were.
(11:43):
It looked really legitimate.
But then when you actually goin and DHL sorry, when you go in
and actually look at it.
It was a domain coming out ofTurkey, but the email tools like
Abnormal were catching it andcategorizing it correctly.
What I wanted to ask you was, asyou were working at Abnormal,
(12:05):
maybe give us a look behind thescenes as to the technology and
you know, we can kind of kickaround the term AI but what I
think is the differentiator fromwith Abnormal is it's looking
at the email content and even ifthere's no URL, even if there's
(12:25):
no attachment, but the emailitself is trying to socially
engineer someone of you know,hey, the CEO fraud where you're
trying to get somebody to go outand buy some gift cards and
then email back the codes orwhatever.
It is Abnormal's picking up onthat and that's really hard to
(12:46):
do.
So I'd just love to hear moreabout how you're doing that and
where the industry is going asthese attacks get more
sophisticated.
Mick Leach (12:55):
Sure, sure, yeah.
So a couple of things to kindof unpack.
First, I know, as you weretalking about having users that
love to go dumpster diving intheir trash folder and go and
find things.
So there are two things thatused to drive me crazy about
email security solutions.
Number one is just that thatthe solution would either take a
(13:19):
malicious message and move itinto the trash and then just
hope that our users wouldn't goin there, but inevitably there's
always a dozen or there's ahandful of very inquisitive
users who can be problematic,but they love to go dumpster
diving, say oh, let me see ifthere's anything in here I
really wanted.
(13:39):
Why are you in your trash?
Right, it's almost like puttingrazor blades in the trash can
of a four year old.
Someone's going to get hurt?
Okay, and inevitably someonewould.
And then the second aspect isalmost worse is that they would
still deliver the message, butan add, a banner that we've all
(14:02):
become numb to and you don'teven see it any longer, but a
banner that basically says, hey,this could be malicious.
We're not sure, so we're goingto just deliver it and let you
figure it out.
Like I mean Marcy for marketing, who has absolutely no security
training whatsoever, we're nowgoing to leave it in her hands
(14:22):
to decide whatsoever.
We're now going to leave it inher hands to decide.
You know, even our actualmillion dollar technology could
not figure out whether it wasmalicious or not, so we're going
to leave it up to Marcy, or youknow, marty, or whoever for
marketing.
You know, this is what used todrive me crazy.
This is where we always gotourselves hurt, and so you know.
That's what I love aboutabnormal is that it's taken a
(14:44):
fundamentally different approachand it starts.
It starts in two ways, right.
First is the architecture isjust different, right?
Rather than trying to do like acastle wall and the moat being
on the perimeter and thenletting everything come in and
out of that one drawbridge gate,rather than doing that, they're
(15:07):
using an API architecture.
So as a SaaS solution, it sitscompletely outside of the tech
stack.
Now I remember the first time Ihad a POV with the co-founder of
the company.
Sanjay had come and had ameeting initially with me, and
then we did a POV, and as he wasexplaining this, I was like
(15:28):
wait, wait, wait, wait.
Are you telling me that he justsits on the side and evaluates,
kind of after the fact, I meanthis sounds horrible.
This almost sounds like an IDSfor my email.
That's like the worst thing Icould possibly imagine.
Can you imagine something beingmore noisy than that, good Lord
?
There's like the worst thing Icould possibly imagine.
Can you imagine something beingmore noisy than that?
Good Lord?
(15:48):
There's just no way.
And he said no, no, no, mick.
So just because we're using anAPI to see into the emails
doesn't mean that we can't alsoremediate.
We can just make an API calledmove things into a hidden folder
the user can't see.
And I was like, oh okay, well,that makes a little more sense.
(16:08):
And so, you know, we got intotalking about it.
But that architecture, that APIarchitecture it gives you so
much more visibility than youcould possibly get.
With a traditional secure emailgateway, for example, the
gateways can see north-southtraffic beautifully, everything
that passes through.
It's got that covered, greatThanks.
(16:30):
But what about all thateast-west internal-to-internal
traffic?
At most companies that's like70%.
80% of the email traffic isjust internal-to-internal.
Imagine buying a multi-milliondollar security solution and
then telling your leadershipyeah, this is great, it's really
good.
It can't see 70, 80% of ourtraffic, but the 20, 30% it can
(16:54):
see.
It's great, really happy withit.
I mean I would get murdered inmy bed at night if I told my
leadership that's how thisworked.
So you know it gives usunparalleled visibility.
The integration is trivialbecause it's all you know, it's
API driven.
You know you essentially set upthe credentials and you're in
business.
(17:15):
And the last aspect on thatarchitecture side of things is
the time to learn, right?
If you think about a seg, ithas to wait for enough messaging
to pass through its filter forit to learn.
That could be months beforeit's fully trained right.
Using an API, you can do a lookback in time and so now I can
(17:35):
look back, you know 30 days, 60days, and force feed all of that
data through my machinelearning models and now we're
training in hours and daysrather than weeks or months, so
that's super powerful.
On the detection logic side iswhat was more interesting to me.
(17:56):
For years, our security toolingeverything I've bought for years
has been asking what I thinknow is the wrong question.
It was asking the question isthis bad?
Well, the challenge with thatis that you have to have a good
definition of what bad lookslike right, so you have to
define evil, and that definitionis constantly changing.
(18:19):
It also means that someone hadto have gotten bit first and
then define that evil for therest of us to be protected.
It's like spotting the attackerthe first foray.
I'm not comfortable with that.
Neither are most professionals,I know.
So instead of asking thequestion is this bad, abnormal
(18:40):
is taking a different approachand saying is this good or is
this normal?
That's the right question, in myopinion, and the way you answer
that is by baselining yourenvironment and understanding
what normal looks like right.
Because of the way thatAbnormal is able to plug into
your environment, it can see notonly all of your email traffic,
(19:02):
which is great, but because ofthe way it plugs into the
Microsoft 365 stack now it cansee all of your Azure AD logs.
It can see your Teams notes,right, so it's getting so much
more data around who your usersare and how they work
information.
You can create kind of aprofile of each and every person
(19:24):
who they work with, how oftenthat is the times of days they
log in all of that no-transcript.
And now I can tell when it's nolonger Eric's hands on the
keyboard, even though, right,the past authentication, past
(19:45):
MFA, the login is good, butmaybe this isn't actually Eric
on the keyboard today and that'swhat's impressive calls out
(20:06):
that suspicious activity andwhere it really identifies that
you may have an active issuegoing on.
Eric Brown (20:08):
that that's helped this out a couple of times where
even in the, the demo mode ofabnormal, where you basically
bring it in and read only modeand it, it looks at the
environment and then starts tolearn, kind of that process that
you were talking about.
But I've seen it identifyissues that needed to be
(20:28):
resolved during that time frameand it's just kind of that proof
of value right there that youknow it's going to pay for
itself.
Mick Leach (20:37):
Yeah, yeah, you know , when I took a look at it,
sanjay, he'd said it could behooked up in under a minute.
And I mean, I'll be honest, I'ma little hurt, right, I don't
know what I think we're all.
We all have trust issues, whichis why we get into
cybersecurity in the first place.
But you know, I've heard lotsof vendors make these outrageous
(21:01):
claims before and I had had tokind of enough of it and I was
like there's no way.
There's no way that this takesunder a minute, that we're a
fortune 500 financial servicescompany.
Okay, I can't do anything inunder a minute.
I can't do anything in under aweek at this company, right,
it's just there's so much to do.
And so I was like that's,there's no way.
(21:23):
I'll bet you lunch today thatyou couldn't possibly hook this
up in under a minute.
And he was like all right deal.
So we brought, we brought the,the uh the admin in and he had
the right creds.
And, sure enough, sanjay,thankfully, is a very nice man
and he did not hold me to buyinglunch otherwise I would have
(21:44):
been, because it was.
It was like at that time, 30-35seconds, and it's even shorter
now, uh, to get it all hooked upand learning.
And I was like, all right, fine, you're right, you, you win.
It only took, you know, 30seconds to get it hooked up.
Uh, all right, show me the evil.
And all right, well, mick,let's give it a minute to bake
(22:04):
and let it learn and we'll giveyou a call.
And sure enough, like, a coupleof days later, he called me up
and he was like all right, mick,so listen, we've got your
report ready for you.
There's a lot here to unpack.
I was like what do you mean?
There's a lot here to to unpack.
I was like what do you?
What do you mean?
(22:24):
There's a a lot to unpack here.
I, I have a great tech stack.
I was like offended.
I mean I'd spent three yearsand millions of dollars building
the tech stack of my dreams,and so for him to say that there
was a lot there to consume.
I was like, well, hang on now,like and he goes yeah, we'll
actually get to that in a minute, but we do want to call your
attention to one thing inparticular.
You have a threat actor that'scorresponding with one of your
(22:48):
hr.
Business people live right nowand we think maybe you should
get involved.
I was like, wait what?
And uh, sure enough, we.
I found the email that he wastalking about and, yep, there
was a threat actor who claimedto be one of our associates.
I'm kidding, yeah, oh yeah.
They found him one of ourhigh-paced associates, based at
(23:10):
least on title on LinkedIn, andthen cross-referenced that with
Instagram, saw that they wereposting pictures from Cabo
having a wonderful time onvacation with their family, and
then created their first dotlast name at gmailcom Apparently
they hadn't done that yet andnow never can and sent an email
(23:34):
to HR and said hey, just havinga wonderful time on vacation.
Thanks for asking.
That's why I'm sending thisfrom my personal account,
because I don't have access tomy corporate account, of course,
but I just remembered I changedbanks at the beginning of the
month and that hotel bill's comeand due, so if you could just
fix that up for me, I'd be verygrateful.
And, to her credit, god loveher.
(23:55):
She said no, you didn't fillout the right form.
It's attached for yourconvenience.
Oh so it will not surprise youthat that threat actor filled
out that form better thananybody in the history of that
company and she was preparing tomake the change when we caught
(24:17):
it and, uh, so we were able tovery quickly step in and get
that squared away.
But there were, there were lotsand lots of things.
I will tell you.
I was horrified at the amountof threats that were quietly
slipping through my tech stackat the time.
I mean, with email, if yourusers don't complain and your
tools don't catch it, you willnever know.
(24:39):
Right, like you know, many ofmy users were quietly thankfully
quietly ignoring a lot of the,you know, social engineering
attempts, the phishing attemptsthat were coming through.
Then a few, as we learned, werequietly interacting with them
and you know, paying bills,fraudulent bills, or buying gift
(25:00):
cards because they thoughtsomeone in leadership wanted
them to like.
Come on, think that through.
Like, the ceo does not need youto go buy some gift cards.
Nick Mellem (25:10):
At best buy or whatever and scratch the back
off and then send a picture ofit and do all these crazy things
but they do it because it works.
Mick Leach (25:19):
It does work, it does work, and it's the reason
I'm so passionate aboutcybersecurity as a whole.
I've had a family member mywife's grandparents fell victim
to a very, very lucrative forthe threat actor social
engineering attack, and theywere able to drain their bank
(25:40):
accounts out, and, you know, itreally hurt them, and so I've
seen this firsthand, even in myown family, and I know I'm not
the only one.
I speak with folks all over thecountry and they have had
similar things happen.
So that's that's the reason Ilove my work.
I love the fact that I get to,you know, move the needle on the
(26:00):
industry and try and make theworld a better place.
Nick Mellem (26:03):
Have you maybe kind of a random question, but it's
still attached to this have youseen the movie Beekeeper?
Mick Leach (26:09):
That's like my dream scenario, right?
I mean, yeah, I would love forsomeone, not me.
Nick Mellem (26:18):
You might have the credentials.
Mick Leach (26:19):
To do that.
Well, yeah, maybe not like that.
Nick Mellem (26:23):
No, the movie fit along and I obviously wanted to
tie that in there because youbrought up your wife's
grandparents, I think it was.
Yeah, it's really clear.
You can tell the passion thatyou have just by talking.
You know how you havethroughout the show so far.
You know we're talking aboutsome trends.
Are you able to get into that alittle bit more Like what you
(26:44):
guys are seeing?
You know maybe what trends arehappening now or what you've
seen maybe in the past year.
You know whether you know wehad the Olympics starting.
Now we had the episode ofCrowdStrike last week.
You know, have you seen newtrends come up?
Mick Leach (26:56):
Maybe if you could just share some of your insight
there, yeah, what we've learned,and what I've learned since my
since just in my time here atAbnormal, is that threat actors
will never waste a major crisis.
Right, you know, during thepandemic they were, they were
snapping up domains and creatingall kinds of things so that you
could register and get your,you know, your refund or
(27:19):
whatever.
We were supposed to get therefor a minute.
And the most recent stuff is nodifferent the Paris Olympics.
There's lots and lots of socialengineering, phishing attempts
out there trying to convince youto go to a website that looks
like it could be legit andinteract with it, maybe log in,
(27:40):
that sort of thing.
They're going to collect yourcredentials and then start
logging in to your corporatesystem.
I mean not that any of us oranybody listening would ever
reuse a password, but there arethose, I'm told, that do that
and so that becomes a problemwith credential harvesting.
(28:02):
And the CrowdStrike one was nodifferent.
Um, you know we've.
We saw right away, even onFriday.
So it happened on Friday.
Even on Friday, we saw reportsuh from research, threat
researchers on on uh, twittersorry X now uh that were coming
up showing that threat actorswere registering brand new
domains that looked likeCrowdStrike, fixcom, you know,
(28:26):
crowdstrike dash outage,crowdstrike dash BSODcom all of
these different fraudulent URLsso that they could stand up
websites that look legit andthen start sending out those
phishing emails that willultimately harvest credentials.
So that's kind of the biggestthing we've seen in terms of new
(28:50):
threat vectors that areconstantly coming out.
A couple other big ones thatwe've seen lately.
They've been occurring for alittle while now but are not
going to get better.
They're going to continue toget worse.
Number one is like QR codephishing.
Right, this one, this one'snasty, um, because, and and for
(29:12):
a reason many people don't thinkabout it's it's largely because
if someone sent you a QR code,an email with a QR code in it to
your corporate email, how areyou going to scan that QR code?
Eric Brown (29:27):
You're going to use your personal phone and break
out of the corporate walledgarden.
Mick Leach (29:31):
Absolutely.
That's exactly what you'regoing to do.
Everybody does the same thingthey pick up their phone, they
point it at the screen, and nowyou are sidestepping your entire
tech stack.
Brilliant at the screen, andnow you are sidestepping your
entire tech stack multi-milliondollar tech stack.
We've got all these things toprotect our users, and now
they've convinced them to usesomething else, and now they're
going to be logging in usingtheir corporate credentials,
(29:53):
thinking they're doing the rightthing.
But now we don't have anylogging, we don't have any
alerting, we don't have anydefense capability, and so that
one's particularly nasty forthat reason.
Nick Mellem (30:04):
Well, Josh does love the QR code menus at the
restaurants.
Mick Leach (30:08):
Right.
Nick Mellem (30:08):
Yep.
Mick Leach (30:09):
Yeah, I mean, let's be honest, it's almost like the
pandemic had been training usfor three years how to choose.
Yeah, all of us Because wecouldn't touch anything.
It's now you know, everywhereyou go there's a QR code.
I went to an event lastNovember in Columbus Ohio.
I live a little bit north ofColumbus Ohio and I was down.
(30:31):
That's like my backyard, thishometown for me.
I went to an event there andhad to park and went to shoot,
because now even the parkingmeters use a QR code that you
shoot and then you interact, youpay online, basically.
And I was getting ready toshoot the QR code and I noticed
it was curling up at the edgesand I thought, well, what is
(30:54):
that all about?
And started to unpeel it.
The actual QR code wasunderneath and so I shot that
one, just because I'm a securityguy, right, and I'm a geek and
I'm curious.
That's why we all get into thisand are good at it.
So I looked into it and, yeah,it went to a fraudulent website
(31:16):
that looked as I mean, I didn'tknow what the real one should
look like, so that one wasn'tyou, you wouldn't have caught it
.
Nope, would not have caught it.
I have no idea how much thatthey they could have cleared
with that, you know.
So those, the QR code ones, areparticularly nasty because
they're everywhere.
And even, you know, even folkslike my grandparents have now
(31:37):
been trained through thepandemic.
Right, they never, they didn'tknow how to work you know a
smartphone.
Now they're shooting QR codesall over the place because the
pandemic taught them how.
Nick Mellem (31:47):
Yeah, they're on commercials on TVs, now you know
yeah.
Joshua Schmidt (31:51):
Yeah, outside of buses.
Would that be called quishingit?
Mick Leach (31:55):
is, it is, and I hate that phrase and I have
words saying it.
I can't say it without feelingnauseous.
Quishing, kishing, I don't know.
Joshua Schmidt (32:05):
I'm just curious .
We just talked about the QRcode phishing or quishing,
whatever you want to call it.
Have you seen any other uniquethreats emerge?
It almost seems like thetraditional keyword search is a
little outdated, although itprobably blocks a good portion
of malicious emails and probablystill useful to some degree.
(32:26):
Maybe you can speak to that,but have you seen any other
trends besides the QR phishingthat have been popping up?
That might be interesting.
Mick Leach (32:35):
Sure, yeah, let me give you two more, then, because
the one you just brought upreminded me of a short story and
I promise I'll try and keepthis short At my last gig,
talking about different kinds ofattacks.
The keyword searches is what wehad in my secure email gateway
at the time and it was good.
It did a good job.
(32:55):
It caught things like, you know, bitcoin and kind of the stuff
you would expect, but I had asextortion campaign roll through
.
This was ultimately what droveme to look for something else,
where I ultimately foundabnormal, and in this particular
one, I had an enterprisingthreat actor who had taken a
(33:16):
screenshot of the extortionnotes that you know.
If you've not seen these, theypurport to have, uh, turned on
your webcam while you weresurfing pornography on your
corporate computer.
Because who doesn't do that, uh, you know, just on the daily?
You would be surprised.
Well, it's funny.
You would say that because youknow.
(33:37):
Yes, so we sent this out.
The thing was because it was apicture, right, the resulting
jpeg file was not malicious inany way.
He pasted that in as the bodyof the message and, like my seg,
couldn't read the words in thepicture, so it sailed right
through all of my security stackand started causing quite a
(33:58):
stir.
When it landed in my user'sinbox, I started getting these
weird phone calls like Mick, doyou know how to open a Bitcoin
wallet?
Nick Mellem (34:07):
I was like oh boy.
Mick Leach (34:09):
Well, you know what?
I don't even want to know, yeah.
Eric Brown (34:13):
I don't know.
Mick Leach (34:16):
At any rate, it's those kinds of things that short
circuit many of the traditionalsecurity controls we've been
using for years and I had neverseen one like that.
And that was one of the firstthings I brought up to.
Abnormal, when I sat down withSanjay, was like, hey, here's a
recent example, could you havecaught this?
And he said, oh yeah, it waslike, tell me more.
(34:37):
And he said, well, we use, weuse a machine learning model
called computer vision.
That's uh, it's kind of likeOCR's big brother, right,
optical character recognition.
It's kind of like it's bigbrother.
So it can even it can look atthe message body, regardless of
whether it's text or it's animage or a QR code, for example,
(34:59):
and so that's how they're ableto identify and ultimately
resolve a DNS entry for a QRcode or read the words in a
picture.
And I was like, well, hot dog,this is pretty darn neat.
And it worked.
I never saw another one againafter I plugged Abnormal in.
So good, good stuff.
(35:20):
The second thing that I wasgoing to tell you is really
around AI, generative AI.
This will not surprise any ofus here on the phone, but it has
absolutely lowered the bar ofentry for threat actors to
attack folks today.
For threat actors to attackfolks today.
You know, folks that couldn'tcraft a coherent English
(35:40):
sentence yesterday can now writebetter than my 10th grade
English teacher, mrs Fox, andthat's saying something.
If you're out there, Mrs Fox,still remember you.
I'll turn it in tomorrow, Ipromise.
But that's the kind of stuffthat you know we're dealing with
today and it's not necessarilythat it's more sophisticated
(36:03):
than we would ever see withspear phishing.
But the volume is such Becausenow, instead of it would take 20
, 30, 40 minutes to craft a good, realistic spear phishing
message.
40 minutes to craft a good,realistic, you know spear
phishing message Now using, youknow, generative AI, whether
(36:24):
it's ChatGPT or Gemini.
Pick your favorite flavor, thenyou can craft these ad nauseum.
Right, you can automate that.
You can even automate it towhere it'll find victims on
LinkedIn.
We will automatically scrapepublic websites like Instagram
and Facebook.
You know, whatever you're into,it can learn and then craft a
very realistic looking messagethat you will almost undoubtedly
(36:47):
click on, because it knows whatyou're into.
And so that's what makes itreally hard, because a lot of
the traditional things that wenot only our solutions have been
looking for for years, but whatwe've been training our users
to watch for things like clunkygrammar or misspellings or a
sense of urgency.
They're trying to convince youto do something fast.
(37:09):
Many cases, those aren't there.
And then, if you think aboutour tech, it's been looking for
signals or signature-baseddetection.
It's been looking for some sortof definition of evil.
So is there a known maliciousURL?
What about a known maliciousattachment?
Or what about a bad sender?
(37:30):
The sender has a history ofdoing this.
Those are the things that it'sbeen looking for for years and
years that simply aren't presentanymore.
Eric Brown (37:39):
One of those that I recently came across with
Abnormal was the newly minteddomains.
There's zero reason why adomain registered yesterday is
going to send me anything that'slegitimate, but being able to
categorize that and filter thatout hugely important from a
(38:00):
security posture standpoint.
Mick Leach (38:02):
Yeah, absolutely.
Those are some of the keythings that we take into account
, and a lot of other securitysolutions are doing that today
too as well.
There's lots of good SEGs onthe market that are doing that.
I think where abnormal is alittle bit different, is it not
only goes beyond just analyzingthe headers?
Right, Is this domain stood uprecently?
(38:25):
Where did it originate from?
These kinds of things?
But it'll actually go furtherand say have I ever received an
email from this person?
Because they're purporting tobe somebody I work with.
They're trying to get me to payan invoice.
Have I ever worked with them?
Have I ever received an emailfrom them?
If I have, did it alwaysoriginate from Amsterdam?
(38:48):
Because that seems unusual.
Most of the vendors I work withare here in the States, and so
it can even look at thosemismatches of yes, you work with
this person, but thatorigination is actually from
Amsterdam and it's never comefrom there before.
So these are the kinds of it'smore like behavioral data
(39:11):
science and data analytics thatallows abnormal to catch things
that nothing else simply cantoday.
Eric Brown (39:19):
I've got one for Josh.
Josh, what do you call amalicious link embedded in a
Word document that's wishing?
Joshua Schmidt (39:33):
I think you secretly enjoy these ishings.
I do.
Eric Brown (39:40):
So, mick, with Abnormal right, all of
Abnormal's eggs, so to speak,are in really largely one basket
.
I know there's some ancillarywork around Slack and Teams and
things like that, but a majorityof security is related to email
(40:00):
security, and that's a hugething.
I mean, email security is thenumber one and two issues of
security pretty much anyorganization you work with.
If we go into work with anorganization, we ask them what
email filtering tools do youhave?
And they don't have anythingbut the incumbent tool that
(40:20):
comes with the email suite thatthey've purchased.
That's a red flag of OK from amaturity perspective.
They really want to get betterat email security.
(40:41):
Coming off of this CrowdStrikedebacle, they could very well
say, hey, we want to get betterat endpoint security and they
could make a large investment inemail security and get really
good at it quickly.
Or buy a company like anabnormal that is already good at
(41:01):
it and integrate that intotheir ecosystem and then all of
these secure email gateways orother API integration security
tools would essentially themarket would disappear overnight
.
Do you worry about that, orwhat are some of the thoughts
that you have around beingmyopically focused on one
(41:23):
particular domain of informationsecurity?
Mick Leach (41:27):
So I'm so glad you brought that up because that's
exactly what I asked when Iinterviewed with Sanjay,
co-founder of the company,before I joined the company, and
we had a good interview.
But he got to a point towardsthe end he said, Mick, I want
you to go ahead and ask me thehardest questions you have.
And I was like, OK, I mean, areyou serious?
(41:48):
And he said yeah.
I said all right, Well, looknot to hurt feelings.
But I mean you have a greatproduct, but it's in a niche
area Like what's the plan?
Is the plan to get bought?
Is it to to?
I mean, what?
What are you going to do?
And he said that was the rightquestion.
And he said let me show you the.
(42:09):
You know the roadmap.
And I said, ah, I've seen theroadmap every quarter in my, in
my QBR for the last, for thelast year and a half.
I know your roadmap really well.
He said no, no, no, this is theroadmap and he showed it to me.
He said this is the roadmapyou've seen as a customer Now,
because you've signed an NDA aspart of this interview, here's
(42:31):
the roadmap that we really wantto tackle.
And I remember looking at itwith my eyes just like dinner
plate, and I was like are youserious, Are you really going to
try and tackle all of this?
And he said yep.
I said all right, well then,I'm in, I want to be a part of
what you want to do.
So, um, you know, even and I'vebeen here almost almost three
(42:54):
years it'll be three years inlike three, three weeks so I've
been here nearly three years andeven three years ago, they had
a long-term plan for the areasthat they really wanted to
tackle.
It's so much more than email,if you want to think of it that
way.
We're, we're an AI companywhose first foray, like our
(43:15):
first act, was email, butthere's more coming and you've
seen that with.
So last year at RSA, so in 2023,that's when they released you,
Eric, you alluded to it, right,that same detection, like
anomaly detection, that we'redoing for email, we released for
(43:36):
Teams and Slack and Zoom.
So, because we saw thatattackers, once they were
compromising an account, theyweren't even sending emails many
times, at least not internallybecause we've all done a good
job as security professionals,training our users to be very
wary with email, we have notdone as good a job, if I'm
honest, myself included, ofteaching them to bring that same
(43:59):
rigor to things like Teams andZoom and Slack chat programs.
They just think well, that'sBill.
I talk to Bill every day.
It may not be Bill today, sothat's what's important there.
But then this year at RSA, weannounced some new integrations.
(44:20):
So we're integrating with Ithink it's 12, yeah, 12 major
SaaS applications, things likeWorkday and DocuSign, ServiceNow
, Zendesk, right, A lot of theseenterprise applications uh,
salesforce is another big one um, a lot of these sas
(44:41):
applications are awesome, superpowerful, but because they sit
outside of your tech stack, thelogging doesn't always make it
back into your sim.
And even if it does, we just maynot have the breadth of of
understanding and the breadth oflogging to understand anomalous
activity, especially as it dotsacross several of these
(45:04):
different applications.
Right, what happens if someonecompromises a workday account?
They log in.
If you're using SSO, great,that's best practice.
Sso, great, that's bestpractice.
But you could still, especiallyif the account has been
compromised the SSO would justnote that there was a valid
login right to this application.
(45:27):
But now they're bouncing aroundin that application, they move
to another application, right,and so with all these disparate
things, you may not be able tolink it all together to
understand that there'ssomething actually malicious
happening, and so that'ssomething that we're really
tackling as we go forward.
So we're calling this universalaccount compromise or universal
(45:48):
account takeover protection.
So it's universal ATO is whatwe're calling it, and so it's
the same account takeoverdetection logic that we're
applying in your Microsoft 365stack today.
We're applying that same logicinto all of these different SaaS
applications.
So we're going to deliver thathere in the next couple of
months and we're going to rollit out with 12 applications,
(46:12):
initially SaaS apps, but we wantto get to as many as 80 by the
end of the year.
Eric Brown (46:19):
That's great, congratulations, yeah.
Mick Leach (46:21):
Yeah, it's an exciting time to be here, and
these are the things that I sawthree years ago, basically on a
napkin.
It might as well have been andit wasn't a napkin, it was a
spreadsheet, but it might aswell have been but these were
the aspirational things that Isaw three years ago that made me
desperately want to come hereand be a part of what they're
(46:44):
doing and I think with therecent governance coming out of
the EU, with how they'retreating enterprise chat
programs like Slack and Teamsand they made Microsoft pull
Teams out from a purchasingstandpoint has to stand on its
own now from an anti-competitionstandpoint.
Eric Brown (47:06):
Hopefully the same thing will happen with point
solutions like email security.
And if you want Defender forOffice 365 P1 or P2, it will
have to stand up against theSEGs and the tools like Abnormal
and be priced and compete withthem directly, versus the
(47:27):
account rep just saying, oh no,that's bundled into your E5
subscription.
You already get that, it's free.
And I think if they do have tocompete with their security
products, we'll see even betterproducts coming out of the
industry because there'll be aton more money coming in from an
(47:49):
investment standpoint Becausethose office tools just can't
stand up right.
It'd be like if somebody wasstanding up their own Word
program that wasn't open source.
It'd be really hard to competeagainst Microsoft.
But that's where the maturityis for Microsoft from a security
tool perspective and it'sreally great to see companies
(48:10):
like Abnormal come onto thescene with this innovation
coming out of left field toreally help with these areas
where we just see so manythreats coming in on a daily
basis.
Mick Leach (48:23):
Yeah, absolutely.
Joshua Schmidt (48:24):
To kind of sum it up, this might be an absurdly
big question, but what do yousee as the biggest threat to
email security today, Mick, andmaybe Eric, you?
Nick Mellem (48:33):
can chime in on this?
I was going to go ahead.
Go on a minute, yeah.
But you know, and can chime inon this, I was going to go ahead
, yeah.
Joshua Schmidt (48:37):
But you know, and just piggyback on that, what
do teams or cybersecurityprofessionals, what should we be
doing to stay on top ofemerging threats?
Because there's people that weoften say you know, if these
threat actors would just put allthis ingenuity into you know
altruistic virtue, you knowventures, it might actually make
(48:58):
the world a better place, butwe're constantly up against
people using their creativityfor nefarious reasons.
So, in your opinion, can youspeak to that and what it's
going to look like, maybe fiveyears down the road?
Sure, yeah.
Mick Leach (49:11):
So I think that AI continues to be the biggest
threat towards email inparticular.
I continue to see on I mean,every single day as it matures,
it gets better and better.
And so the idea that threatactors can now automate and send
(49:34):
just 10x of what they evercould before with some
rudimentary Python script orwhatever that they might have
been using in the past to createthese fraudulent emails, these
phishing messages going out.
That's kind of where I see thebiggest problem going in the
(49:55):
future, and so defending againstAI is really hard, and that's
where I think we, as securityprofessionals, need to be
harnessing that same power of AI, so using AI for good to defend
against the use of AI for bad.
So I think that's going to bemore and more pivotal going
(50:15):
forward, and not just in email,but in all of our solutions.
You know, you think about theway.
What is ML great at?
You know it's great atconsuming just a ton of data and
then finding that sort ofthread of truth that runs
through it all.
Joshua Schmidt (50:32):
We'll leave it there.
Well, thanks, Mick, for joiningus today.
Once again, you've beenlistening to the Audit presented
by IT Audit Labs.
I'm your producer, JoshuaSchmidt.
You've been joined today byNick Mellum and Eric Brown and
our guest Mick Leach fromAbnormal.
You can find us on all thestreaming services.
We have new episodes everyother Monday.
Find us on Spotify, Apple Music.
Please like, share andsubscribe and tell your friends,
(50:53):
and we hope to see you soon.
Eric Brown (50:57):
You subscribe and tell your friends and we hope to
see you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, or our security control
assessments rank the level ofmaturity relative to the size of
(51:19):
your organization, thanks toour devoted listeners and
followers, as well as ourproducer, joshua J Schmidt, and
our audio video editor, cameronHill.
Topics by giving us a like anda follow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(51:44):
source your security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.