Speaker 1: 0:04

Welcome to the Audit hosted by IT Audit Labs. I'm your producer, joshua Schmidt, we have Nick Mellom and Eric Brown, and today we're joined by Mick Leach from Abnormal. How are you doing, mick? I'm well. Thanks, good to be here, guys. Thanks for having me. Absolutely Thanks for joining us today. We're going to jump right into it with an icebreaker question to get to know you a little bit better. What was your favorite band? Were you like a hair metal guy in the 80s, 90s? Uh, were you a grunger? Were you a hip-hop guy? What was your favorite music?

Speaker 2: 0:31

oh man, so this is so embarrassing. So I was a bit of a prep uh in school and uh so preppy kid. Uh was in the band, uh played the trumpet. So not the coolest aspect of my life. I did go get shot at instead, uh, to make things later.

Speaker 3: 0:47

Yeah, yeah, it's kind of yeah, Balance that out some.

Speaker 2: 0:53

Um. But yeah, I probably DJ jazzy Jeff and the fresh prince. I was a big fan right, I was a big kind of rap guy, or at least I fancied myself one. That was the closest I could possibly get to being cool, love it.

Speaker 4: 1:10

How about you, nick? I gravitated like the rock and country. I like both. But I would have to say, back when I was younger I think I'm still relatively young, but I'd have to say Metallica. I had the full door poster of all the members on my on my door when I you you know live with my folks a long, long time ago, so I'd have to go to go with metallica eric, I'm dying to hear yours, I know I go any direction.

Speaker 3: 1:34

Yeah I was all over the place in high school. I'd probably say rap like public enemy was was probably the go-to. But I had some pretty eclectic tastes. Like right away in college I kind of switched to older, like 60s uh, r&b music like sam cook. Um, now I listen to a lot of jazz and just kind of chill on sundays. That's one of my favorite things is just relaxing on sunday morning with the uh, with the record player, with some some good jazz music I didn't know you were a vinyl guy.

Speaker 1: 2:04

I'm gonna have to trade some vinyl, so we'll do it. I want to get in on that trading. Yeah, mine was smashing pumpkins. Uh, it was big smashing pumpkins I still am still am, although I haven't put out anything that I've been really excited about in quite some time.

Speaker 1: 2:17

But uh, 1979 was one of my favorites that's right, that's still one of my favorites, but yeah, well, now that we get to know each other all a little bit better, um, we'd love to hear more about you, mick, and uh, kind of your background with abnormal, how you got into you're doing some public speaking now, I know, and you're you're doing are you doing virtual cso work or are you doing some sort of cso work as well?

Speaker 2: 2:39

no, just so as a field cso, I go out and uh, a lot. So, as you mentioned, right, lots of webinars, lots of presentations, industry stuff, you know just a lot of. You know sharing, sharing thoughts and opinions, that kind of thing in the security space, leveraging, you know, 20 plus years in IT and security to share thoughts and opinions on where things are today and where they're going.

Speaker 1: 3:03

Great and how did what kind of got your, piqued your interest in that and got you into the cybersecurity world?

Speaker 2: 3:09

Yeah. So I took a sort of eclectic, scenic route into not only IT but cybersecurity in particular. Out of high school I joined the military. I was in the United States Army for nearly nine years and got out and was able to parlay that you know, all of that exciting stuff into a job in IT. How that happened, I have absolutely no idea. But started doing IT things for a little while and then an opportunity came to join the security operations team that was starting up, and so this was at a Fortune 100 insurance company.

Speaker 2: 3:48

Once I got into that and did a couple of SANS courses, I realized this is what I was built for right. It combined my love and my excitement for protecting others from the military with this sort of digital aspect that I enjoyed. I was also a nerd, a geek, and loved building and tearing apart computers, and so there was this beautiful convergence of being able to both defend and remain technical at the same time, and so I did that for a while and then got an opportunity to start building and leading security operations teams at Fortune 500 companies. And then, after doing that and protecting other companies for a good while, I realized you start building and leading security operations teams at Fortune 500 companies. And then, after doing that and protecting other companies for a good while, I realized I wanted to make a broader impact. Right, I wanted to try and move the needle on the industry. Yes, it sounds, you know, idealistic, yes it's silly, but I wanted to try and make the world a safer place, and so I knew there's a couple of ways you can do that in our industry. Right, you can join the government and try and do things that way. The thing is it doesn't pay very well and I've got a big family, so I realized I'm going to probably need to stay in the private sector, as it were.

Speaker 2: 5:00

And so I knew that the other side of that is probably joining a vendor or a service provider, and so I had a short other side of that is probably joining a vendor or a service provider, and so I had a short list of folks that I really respected, companies that I'd worked with over the years, where not only was the tech super cool and worked, but the people were really neat and I loved what they were doing. You know, crowdstrike was in that list Imperva there's a handful of companies just doing some really neat things, palo Alto Networks, and one of them was at the top and it was a company called Abnormal Security. It was an interesting company. I'd bought and used their solution for about a year and a half and it was awesome.

Speaker 2: 5:40

It changed the way that email security was being done and I thought, man, if they would ever have a role doing what it is I do, man, I would love to join that company. And, lo and behold, a role popped up on their website. I applied and next thing I knew I was working for the good guys here. The stars aligned.

Speaker 1: 6:00

Yeah, yeah, I think Nick can relate to your career trajectory there yeah, I was already thinking it.

Speaker 4: 6:07

Yeah, I had. Uh took the scenic route, as you put it. Uh was in the marine corps, uh, not quite nine years, but I did four and got out. But I think when I was in I would always you know, I was when I was deployed or if we were doing field operations, you know I'd come back all sweaty and dirty and I'd see the it guys in there. I was like, well, these guys are they got some ac? Yes, water.

Speaker 2: 6:31

I mean like so I get your connection dude, I was so jealous of those guys sitting in that like tonics or whatever that air conditioning tonics.

Speaker 4: 6:39

I'm over here, you know, chewing on dust you're over in afghanistan with some moon dust and you go back to the CLC for a debrief and they're all just. I mean they're doing good work, but they're certainly nice and cool and well hydrated.

Speaker 2: 6:54

I love it. I love it. Well, yeah. So I joined Abnormal as the head of security operations initially and building out that program. And after about, oh man, almost two years of doing that or I guess it was a little over two years they said you know, mick, we'd love for you to do a little bit more of the public speaking stuff. And I was like, guys, you're killing me. I mean, I'm barely getting my OKRs met now doing because I'm, you know, at the time, I'd travel and I'd speak and then I'd go back to my hotel room and I'd work for another six to 10 hours in the hotel room trying to get all my actual daytime work done. And I was like, guys, I don't know, I don't know if I can do more speaking and still get my job done, my daily job.

Speaker 2: 7:42

And they said, well, what if we, what if we backfilled you, uh, like your daytime stuff, and then you would be freed up to do more? I was like, uh, is that an actual gig? Like, what would that look like? What would we even call that? Tell me more, I know. I was like I mean, I'm not opposed, I enjoy the speaking and the traveling, but what would that? You know what will we even call it?

Speaker 2: 8:05

And they said, well, we could call it field CISO. And that was the first time I'd ever heard the term. I had to go Google it and I've met a few others of us and we actually have a group now, a group of field CISOs, where we kind of share, you know, some of the challenges, some of the successes, so that we can sharpen one another, and that some of the challenges, some of the successes, uh, so that we can sharpen one another and and that's been super cool too. But yeah, there for a minute I was like I'm not sure, so we decided to do it started up and, uh, it's been almost a year now in this role and just having a blast.

Speaker 1: 8:38

That's cool. We call Eric the flying CISO cause. Eric's a pilot and a CISO as well.

Speaker 3: 8:42

So yeah, yeah, and you know, I really do think highly of Abnormal have used it in a few places and just the nature of our work. Sometimes we get dropped into some pretty hectic situations. I guess you could say you know where a company is experiencing challenges or maybe they need to go in a different direction and unfortunately, most of the time it's bad email security. Most of the time they're using Microsoft's off the shelf products which are terrible. I don't think I'm telling anybody anything, they don't know, but I mean they're. They're just awful. Not only do they not work. The problem with Microsoft's tools is you have that false sense of security where they've wrapped this into your licensing and then you're expecting it to work. But then when it doesn't work and you go and figure out, well, why isn't it working? It's like, oh, I didn't have this setting turned on or this slider wasn't in the right area, and you're like, well, shoot, you know, we just had an exposure because we thought we were protected. Time after time I found the Microsoft stack and they have a few different iterations of the name from Exchange Online Protection, I think now they're calling it Defender for Office 365, plan 1 or Plan 2. I think Plan 2 has a little bit more of the synthetic testing in it, but the product's all the same. It doesn't work and you need something else to help.

Speaker 3: 10:19

One of my favorite recent examples with the Microsoft stuff was Microsoft would classify the email as either suspicious or malicious and instead of deleting the email they put it into the user's junk folder or deleted items. And what do the users do? Oh, a new email popped up in this folder. Yeah, it says deleted or junk, but I'm going to still go in and see what it is and then click on it and Bob's your uncle. So it is really tough to change that behavior in the user culture change, change, education, all of that and it's really tough to make those changes on the Microsoft side of having it permanently delete that item. So you need a tool like an abnormal that's going to come in and inspect that and use some intelligence around why it might be a malicious email.

Speaker 3: 11:20

We see a ton of email threats across our different customers and it seems all of the time the malicious actors are getting more and more sophisticated with domain impersonations. Saw one the other day that was impersonating the delivery service DSL, and they were. It looked really legitimate. But then when you actually go in and DHL sorry, when you go in and actually look at it. It was a domain coming out of Turkey, but the email tools like Abnormal were catching it and categorizing it correctly.

Speaker 3: 12:00

What I wanted to ask you was, as you were working at Abnormal, maybe give us a look behind the scenes as to the technology and you know, we can kind of kick around the term AI but what I think is the differentiator from with Abnormal is it's looking at the email content and even if there's no URL, even if there's no attachment, but the email itself is trying to socially engineer someone of you know, hey, the CEO fraud where you're trying to get somebody to go out and buy some gift cards and then email back the codes or whatever. It is Abnormal's picking up on that and that's really hard to do. So I'd just love to hear more about how you're doing that and where the industry is going as these attacks get more sophisticated.

Speaker 2: 12:55

Sure, sure, yeah. So a couple of things to kind of unpack. First, I know, as you were talking about having users that love to go dumpster diving in their trash folder and go and find things. So there are two things that used to drive me crazy about email security solutions. Number one is just that that the solution would either take a malicious message and move it into the trash and then just hope that our users wouldn't go in there, but inevitably there's always a dozen or there's a handful of very inquisitive users who can be problematic, but they love to go dumpster diving, say oh, let me see if there's anything in here I really wanted. Why are you in your trash? Right, it's almost like putting razor blades in the trash can of a four year old.

Speaker 2: 13:48

Someone's going to get hurt? Okay, and inevitably someone would. And then the second aspect is almost worse is that they would still deliver the message, but an add, a banner that we've all become numb to and you don't even see it any longer, but a banner that basically says, hey, this could be malicious. We're not sure, so we're going to just deliver it and let you figure it out. Like I mean Marcy for marketing, who has absolutely no security training whatsoever, we're now going to leave it in her hands to decide whatsoever. We're now going to leave it in her hands to decide. You know, even our actual million dollar technology could not figure out whether it was malicious or not, so we're going to leave it up to Marcy, or you know, marty, or whoever for marketing. You know, this is what used to drive me crazy. This is where we always got ourselves hurt, and so you know.

Speaker 2: 14:41

That's what I love about abnormal is that it's taken a fundamentally different approach and it starts. It starts in two ways, right. First is the architecture is just different, right? Rather than trying to do like a castle wall and the moat being on the perimeter and then letting everything come in and out of that one drawbridge gate, rather than doing that, they're using an API architecture. So as a SaaS solution, it sits completely outside of the tech stack.

Speaker 2: 15:16

Now I remember the first time I had a POV with the co-founder of the company. Sanjay had come and had a meeting initially with me, and then we did a POV, and as he was explaining this, I was like wait, wait, wait, wait. Are you telling me that he just sits on the side and evaluates, kind of after the fact, I mean this sounds horrible. This almost sounds like an IDS for my email. That's like the worst thing I could possibly imagine. Can you imagine something being more noisy than that, good Lord? There's like the worst thing I could possibly imagine. Can you imagine something being more noisy than that? Good Lord? There's just no way. And he said no, no, no, mick. So just because we're using an API to see into the emails doesn't mean that we can't also remediate. We can just make an API called move things into a hidden folder the user can't see. And I was like, oh okay, well, that makes a little more sense. And so, you know, we got into talking about it.

Speaker 2: 16:12

But that architecture, that API architecture it gives you so much more visibility than you could possibly get. With a traditional secure email gateway, for example, the gateways can see north-south traffic beautifully, everything that passes through. It's got that covered, great Thanks. But what about all that east-west internal-to-internal traffic? At most companies that's like 70%. 80% of the email traffic is just internal-to-internal.

Speaker 2: 16:41

Imagine buying a multi-million dollar security solution and then telling your leadership yeah, this is great, it's really good. It can't see 70, 80% of our traffic, but the 20, 30% it can see. It's great, really happy with it. I mean I would get murdered in my bed at night if I told my leadership that's how this worked. So you know it gives us unparalleled visibility. The integration is trivial because it's all you know, it's API driven. You know you essentially set up the credentials and you're in business.

Speaker 2: 17:15

And the last aspect on that architecture side of things is the time to learn, right? If you think about a seg, it has to wait for enough messaging to pass through its filter for it to learn. That could be months before it's fully trained right. Using an API, you can do a look back in time and so now I can look back, you know 30 days, 60 days, and force feed all of that data through my machine learning models and now we're training in hours and days rather than weeks or months, so that's super powerful. On the detection logic side is what was more interesting to me.

Speaker 2: 17:56

For years, our security tooling everything I've bought for years has been asking what I think now is the wrong question. It was asking the question is this bad? Well, the challenge with that is that you have to have a good definition of what bad looks like right, so you have to define evil, and that definition is constantly changing. It also means that someone had to have gotten bit first and then define that evil for the rest of us to be protected. It's like spotting the attacker the first foray. I'm not comfortable with that. Neither are most professionals, I know.

Speaker 2: 18:35

So instead of asking the question is this bad, abnormal is taking a different approach and saying is this good or is this normal?

Speaker 2: 18:46

That's the right question, in my opinion, and the way you answer that is by baselining your environment and understanding what normal looks like right. Because of the way that Abnormal is able to plug into your environment, it can see not only all of your email traffic, which is great, but because of the way it plugs into the Microsoft 365 stack now it can see all of your Azure AD logs. It can see your Teams notes, right, so it's getting so much more data around who your users are and how they work information. You can create kind of a profile of each and every person who they work with, how often that is the times of days they log in all of that no-transcript. And now I can tell when it's no longer Eric's hands on the keyboard, even though, right, the past authentication, past MFA, the login is good, but maybe this isn't actually Eric on the keyboard today and that's what's impressive calls out that suspicious activity and where it really identifies that you may have an active issue going on.

Speaker 3: 20:08

that that's helped this out a couple of times where even in the, the demo mode of abnormal, where you basically bring it in and read only mode and it, it looks at the environment and then starts to learn, kind of that process that you were talking about. But I've seen it identify issues that needed to be resolved during that time frame and it's just kind of that proof of value right there that you know it's going to pay for itself.

Speaker 2: 20:37

Yeah, yeah, you know, when I took a look at it, sanjay, he'd said it could be hooked up in under a minute. And I mean, I'll be honest, I'm a little hurt, right, I don't know what I think we're all. We all have trust issues, which is why we get into cybersecurity in the first place. But you know, I've heard lots of vendors make these outrageous claims before and I had had to kind of enough of it and I was like there's no way. There's no way that this takes under a minute, that we're a fortune 500 financial services company. Okay, I can't do anything in under a minute. I can't do anything in under a week at this company, right, it's just there's so much to do. And so I was like that's, there's no way. I'll bet you lunch today that you couldn't possibly hook this up in under a minute. And he was like all right deal. So we brought, we brought the, the uh the admin in and he had the right creds.

Speaker 2: 21:38

And, sure enough, sanjay, thankfully, is a very nice man and he did not hold me to buying lunch otherwise I would have been, because it was. It was like at that time, 30-35 seconds, and it's even shorter now, uh, to get it all hooked up and learning. And I was like, all right, fine, you're right, you, you win. It only took, you know, 30 seconds to get it hooked up. Uh, all right, show me the evil. And all right, well, mick, let's give it a minute to bake and let it learn and we'll give you a call. And sure enough, like, a couple of days later, he called me up and he was like all right, mick, so listen, we've got your report ready for you. There's a lot here to unpack. I was like what do you mean? There's a lot here to to unpack. I was like what do you? What do you mean? There's a a lot to unpack here. I, I have a great tech stack. I was like offended. I mean I'd spent three years and millions of dollars building the tech stack of my dreams, and so for him to say that there was a lot there to consume. I was like, well, hang on now, like and he goes yeah, we'll actually get to that in a minute, but we do want to call your attention to one thing in particular. You have a threat actor that's corresponding with one of your hr. Business people live right now and we think maybe you should get involved. I was like, wait what? And uh, sure enough, we. I found the email that he was talking about and, yep, there was a threat actor who claimed to be one of our associates. I'm kidding, yeah, oh yeah. They found him one of our high-paced associates, based at least on title on LinkedIn, and then cross-referenced that with Instagram, saw that they were posting pictures from Cabo having a wonderful time on vacation with their family, and then created their first dot last name at gmailcom Apparently they hadn't done that yet and now never can and sent an email to HR and said hey, just having a wonderful time on vacation. Thanks for asking. That's why I'm sending this from my personal account, because I don't have access to my corporate account, of course, but I just remembered I changed banks at the beginning of the month and that hotel bill's come and due, so if you could just fix that up for me, I'd be very grateful. And, to her credit, god love her. She said no, you didn't fill out the right form. It's attached for your convenience. Oh so it will not surprise you that that threat actor filled out that form better than anybody in the history of that company and she was preparing to make the change when we caught it and, uh, so we were able to very quickly step in and get that squared away.

Speaker 2: 24:22

But there were, there were lots and lots of things. I will tell you. I was horrified at the amount of threats that were quietly slipping through my tech stack at the time. I mean, with email, if your users don't complain and your tools don't catch it, you will never know. Right, like you know, many of my users were quietly thankfully quietly ignoring a lot of the, you know, social engineering attempts, the phishing attempts that were coming through. Then a few, as we learned, were quietly interacting with them and you know, paying bills, fraudulent bills, or buying gift cards because they thought someone in leadership wanted them to like. Come on, think that through. Like, the ceo does not need you to go buy some gift cards.

Speaker 4: 25:10

At best buy or whatever and scratch the back off and then send a picture of it and do all these crazy things but they do it because it works.

Speaker 2: 25:19

It does work, it does work, and it's the reason I'm so passionate about cybersecurity as a whole. I've had a family member my wife's grandparents fell victim to a very, very lucrative for the threat actor social engineering attack, and they were able to drain their bank accounts out, and, you know, it really hurt them, and so I've seen this firsthand, even in my own family, and I know I'm not the only one. I speak with folks all over the country and they have had similar things happen. So that's that's the reason I love my work. I love the fact that I get to, you know, move the needle on the industry and try and make the world a better place.

Speaker 4: 26:03

Have you maybe kind of a random question, but it's still attached to this have you seen the movie Beekeeper?

Speaker 2: 26:09

That's like my dream scenario, right? I mean, yeah, I would love for someone, not me.

Speaker 4: 26:18

You might have the credentials.

Speaker 2: 26:19

To do that. Well, yeah, maybe not like that.

Speaker 4: 26:23

No, the movie fit along and I obviously wanted to tie that in there because you brought up your wife's grandparents, I think it was. Yeah, it's really clear. You can tell the passion that you have just by talking. You know how you have throughout the show so far. You know we're talking about some trends. Are you able to get into that a little bit more Like what you guys are seeing? You know maybe what trends are happening now or what you've seen maybe in the past year. You know whether you know we had the Olympics starting. Now we had the episode of CrowdStrike last week. You know, have you seen new trends come up?

Speaker 2: 26:56

Maybe if you could just share some of your insight there, yeah, what we've learned, and what I've learned since my since just in my time here at Abnormal, is that threat actors will never waste a major crisis. Right, you know, during the pandemic they were, they were snapping up domains and creating all kinds of things so that you could register and get your, you know, your refund or whatever. We were supposed to get there for a minute. And the most recent stuff is no different the Paris Olympics. There's lots and lots of social engineering, phishing attempts out there trying to convince you to go to a website that looks like it could be legit and interact with it, maybe log in, that sort of thing. They're going to collect your credentials and then start logging in to your corporate system. I mean not that any of us or anybody listening would ever reuse a password, but there are those, I'm told, that do that and so that becomes a problem with credential harvesting.

Speaker 2: 28:02

And the CrowdStrike one was no different. Um, you know we've. We saw right away, even on Friday. So it happened on Friday. Even on Friday, we saw reports uh from research, threat researchers on on uh, twitter sorry X now uh that were coming up showing that threat actors were registering brand new domains that looked like CrowdStrike, fixcom, you know, crowdstrike dash outage, crowdstrike dash BSODcom all of these different fraudulent URLs so that they could stand up websites that look legit and then start sending out those phishing emails that will ultimately harvest credentials. So that's kind of the biggest thing we've seen in terms of new threat vectors that are constantly coming out.

Speaker 2: 28:54

A couple other big ones that we've seen lately. They've been occurring for a little while now but are not going to get better. They're going to continue to get worse. Number one is like QR code phishing. Right, this one, this one's nasty, um, because, and and for a reason many people don't think about it's it's largely because if someone sent you a QR code, an email with a QR code in it to your corporate email, how are you going to scan that QR code?

Speaker 3: 29:27

You're going to use your personal phone and break out of the corporate walled garden.

Speaker 2: 29:31

Absolutely. That's exactly what you're going to do. Everybody does the same thing they pick up their phone, they point it at the screen, and now you are sidestepping your entire tech stack. Brilliant at the screen, and now you are sidestepping your entire tech stack multi-million dollar tech stack. We've got all these things to protect our users, and now they've convinced them to use something else, and now they're going to be logging in using their corporate credentials, thinking they're doing the right thing. But now we don't have any logging, we don't have any alerting, we don't have any defense capability, and so that one's particularly nasty for that reason.

Speaker 4: 30:04

Well, Josh does love the QR code menus at the restaurants.

Speaker 2: 30:08

Right.

Speaker 4: 30:08

Yep.

Speaker 2: 30:09

Yeah, I mean, let's be honest, it's almost like the pandemic had been training us for three years how to choose.

Speaker 2: 30:17

Yeah, all of us Because we couldn't touch anything. It's now you know, everywhere you go there's a QR code. I went to an event last November in Columbus Ohio. I live a little bit north of Columbus Ohio and I was down. That's like my backyard, this hometown for me. I went to an event there and had to park and went to shoot, because now even the parking meters use a QR code that you shoot and then you interact, you pay online, basically. And I was getting ready to shoot the QR code and I noticed it was curling up at the edges and I thought, well, what is that all about? And started to unpeel it. The actual QR code was underneath and so I shot that one, just because I'm a security guy, right, and I'm a geek and I'm curious. That's why we all get into this and are good at it. So I looked into it and, yeah, it went to a fraudulent website that looked as I mean, I didn't know what the real one should look like, so that one wasn't you, you wouldn't have caught it.

Speaker 2: 31:23

Nope, would not have caught it. I have no idea how much that they they could have cleared with that, you know. So those, the QR code ones, are particularly nasty because they're everywhere. And even, you know, even folks like my grandparents have now been trained through the pandemic. Right, they never, they didn't know how to work you know a smartphone. Now they're shooting QR codes all over the place because the pandemic taught them how.

Speaker 4: 31:47

Yeah, they're on commercials on TVs, now you know yeah.

Speaker 1: 31:51

Yeah, outside of buses. Would that be called quishing it?

Speaker 2: 31:55

is, it is, and I hate that phrase and I have words saying it. I can't say it without feeling nauseous. Quishing, kishing, I don't know.

Speaker 1: 32:05

I'm just curious. We just talked about the QR code phishing or quishing, whatever you want to call it. Have you seen any other unique threats emerge? It almost seems like the traditional keyword search is a little outdated, although it probably blocks a good portion of malicious emails and probably still useful to some degree. Maybe you can speak to that, but have you seen any other trends besides the QR phishing that have been popping up? That might be interesting.

Speaker 2: 32:35

Sure, yeah, let me give you two more, then, because the one you just brought up reminded me of a short story and I promise I'll try and keep this short At my last gig, talking about different kinds of attacks. The keyword searches is what we had in my secure email gateway at the time and it was good. It did a good job. It caught things like, you know, bitcoin and kind of the stuff you would expect, but I had a sextortion campaign roll through. This was ultimately what drove me to look for something else, where I ultimately found abnormal, and in this particular one, I had an enterprising threat actor who had taken a screenshot of the extortion notes that you know.

Speaker 2: 33:19

If you've not seen these, they purport to have, uh, turned on your webcam while you were surfing pornography on your corporate computer. Because who doesn't do that, uh, you know, just on the daily? You would be surprised. Well, it's funny. You would say that because you know. Yes, so we sent this out. The thing was because it was a picture, right, the resulting jpeg file was not malicious in any way. He pasted that in as the body of the message and, like my seg, couldn't read the words in the picture, so it sailed right through all of my security stack and started causing quite a stir. When it landed in my user's inbox, I started getting these weird phone calls like Mick, do you know how to open a Bitcoin wallet?

Speaker 4: 34:07

I was like oh boy.

Speaker 2: 34:09

Well, you know what? I don't even want to know, yeah.

Speaker 3: 34:13

I don't know.

Speaker 2: 34:16

At any rate, it's those kinds of things that short circuit many of the traditional security controls we've been using for years and I had never seen one like that. And that was one of the first things I brought up to. Abnormal, when I sat down with Sanjay, was like, hey, here's a recent example, could you have caught this? And he said, oh yeah, it was like, tell me more. And he said, well, we use, we use a machine learning model called computer vision. That's uh, it's kind of like OCR's big brother, right, optical character recognition. It's kind of like it's big brother. So it can even it can look at the message body, regardless of whether it's text or it's an image or a QR code, for example, and so that's how they're able to identify and ultimately resolve a DNS entry for a QR code or read the words in a picture. And I was like, well, hot dog, this is pretty darn neat. And it worked. I never saw another one again after I plugged Abnormal in. So good, good stuff.

Speaker 2: 35:20

The second thing that I was going to tell you is really around AI, generative AI. This will not surprise any of us here on the phone, but it has absolutely lowered the bar of entry for threat actors to attack folks today. For threat actors to attack folks today. You know, folks that couldn't craft a coherent English sentence yesterday can now write better than my 10th grade English teacher, mrs Fox, and that's saying something. If you're out there, Mrs Fox, still remember you. I'll turn it in tomorrow, I promise. But that's the kind of stuff that you know we're dealing with today and it's not necessarily that it's more sophisticated than we would ever see with spear phishing. But the volume is such Because now, instead of it would take 20, 30, 40 minutes to craft a good, realistic spear phishing message.

Speaker 2: 36:17

40 minutes to craft a good, realistic, you know spear phishing message Now using, you know, generative AI, whether it's ChatGPT or Gemini. Pick your favorite flavor, then you can craft these ad nauseum. Right, you can automate that. You can even automate it to where it'll find victims on LinkedIn. We will automatically scrape public websites like Instagram and Facebook. You know, whatever you're into, it can learn and then craft a very realistic looking message that you will almost undoubtedly click on, because it knows what you're into.

Speaker 2: 36:49

And so that's what makes it really hard, because a lot of the traditional things that we not only our solutions have been looking for for years, but what we've been training our users to watch for things like clunky grammar or misspellings or a sense of urgency. They're trying to convince you to do something fast. Many cases, those aren't there. And then, if you think about our tech, it's been looking for signals or signature-based detection. It's been looking for some sort of definition of evil. So is there a known malicious URL? What about a known malicious attachment? Or what about a bad sender? The sender has a history of doing this. Those are the things that it's been looking for for years and years that simply aren't present anymore.

Speaker 3: 37:39

One of those that I recently came across with Abnormal was the newly minted domains. There's zero reason why a domain registered yesterday is going to send me anything that's legitimate, but being able to categorize that and filter that out hugely important from a security posture standpoint.

Speaker 2: 38:02

Yeah, absolutely. Those are some of the key things that we take into account, and a lot of other security solutions are doing that today too as well. There's lots of good SEGs on the market that are doing that. I think where abnormal is a little bit different, is it not only goes beyond just analyzing the headers? Right, Is this domain stood up recently? Where did it originate from? These kinds of things?

Speaker 2: 38:29

But it'll actually go further and say have I ever received an email from this person? Because they're purporting to be somebody I work with. They're trying to get me to pay an invoice. Have I ever worked with them? Have I ever received an email from them? If I have, did it always originate from Amsterdam? Because that seems unusual. Most of the vendors I work with are here in the States, and so it can even look at those mismatches of yes, you work with this person, but that origination is actually from Amsterdam and it's never come from there before. So these are the kinds of it's more like behavioral data science and data analytics that allows abnormal to catch things that nothing else simply can today.

Speaker 3: 39:19

I've got one for Josh. Josh, what do you call a malicious link embedded in a Word document that's wishing?

Speaker 1: 39:33

I think you secretly enjoy these ishings. I do.

Speaker 3: 39:40

So, mick, with Abnormal right, all of Abnormal's eggs, so to speak, are in really largely one basket.

Speaker 3: 39:50

I know there's some ancillary work around Slack and Teams and things like that, but a majority of security is related to email security, and that's a huge thing.

Speaker 3: 40:02

I mean, email security is the number one and two issues of security pretty much any organization you work with. If we go into work with an organization, we ask them what email filtering tools do you have? And they don't have anything but the incumbent tool that comes with the email suite that they've purchased. That's a red flag of OK from a maturity perspective. They really want to get better at email security. Coming off of this CrowdStrike debacle, they could very well say, hey, we want to get better at endpoint security and they could make a large investment in email security and get really good at it quickly. Or buy a company like an abnormal that is already good at it and integrate that into their ecosystem and then all of these secure email gateways or other API integration security tools would essentially the market would disappear overnight. Do you worry about that, or what are some of the thoughts that you have around being myopically focused on one particular domain of information security?

Speaker 2: 41:27

So I'm so glad you brought that up because that's exactly what I asked when I interviewed with Sanjay, co-founder of the company, before I joined the company, and we had a good interview. But he got to a point towards the end he said, Mick, I want you to go ahead and ask me the hardest questions you have. And I was like, OK, I mean, are you serious? And he said yeah. I said all right, Well, look not to hurt feelings. But I mean you have a great product, but it's in a niche area Like what's the plan? Is the plan to get bought? Is it to to? I mean, what? What are you going to do? And he said that was the right question. And he said let me show you the. You know the roadmap. And I said, ah, I've seen the roadmap every quarter in my, in my QBR for the last, for the last year and a half. I know your roadmap really well. He said no, no, no, this is the roadmap and he showed it to me. He said this is the roadmap you've seen as a customer Now, because you've signed an NDA as part of this interview, here's the roadmap that we really want to tackle. And I remember looking at it with my eyes just like dinner plate, and I was like are you serious, Are you really going to try and tackle all of this? And he said yep. I said all right, well then, I'm in, I want to be a part of what you want to do. So, um, you know, even and I've been here almost almost three years it'll be three years in like three, three weeks so I've been here nearly three years and even three years ago, they had a long-term plan for the areas that they really wanted to tackle. It's so much more than email, if you want to think of it that way. We're, we're an AI company whose first foray, like our first act, was email, but there's more coming and you've seen that with.

Speaker 2: 43:22

So last year at RSA, so in 2023, that's when they released you, Eric, you alluded to it, right, that same detection, like anomaly detection, that we're doing for email, we released for Teams and Slack and Zoom. So, because we saw that attackers, once they were compromising an account, they weren't even sending emails many times, at least not internally because we've all done a good job as security professionals, training our users to be very wary with email, we have not done as good a job, if I'm honest, myself included, of teaching them to bring that same rigor to things like Teams and Zoom and Slack chat programs. They just think well, that's Bill. I talk to Bill every day. It may not be Bill today, so that's what's important there. But then this year at RSA, we announced some new integrations. So we're integrating with I think it's 12, yeah, 12 major SaaS applications, things like Workday and DocuSign, ServiceNow, Zendesk, right, A lot of these enterprise applications uh, salesforce is another big one um, a lot of these sas applications are awesome, super powerful, but because they sit outside of your tech stack, the logging doesn't always make it back into your sim.

Speaker 2: 44:51

And even if it does, we just may not have the breadth of of understanding and the breadth of logging to understand anomalous activity, especially as it dots across several of these different applications. Right, what happens if someone compromises a workday account? They log in. If you're using SSO, great, that's best practice. Sso, great, that's best practice. But you could still, especially if the account has been compromised the SSO would just note that there was a valid login right to this application.

Speaker 2: 45:27

But now they're bouncing around in that application, they move to another application, right, and so with all these disparate things, you may not be able to link it all together to understand that there's something actually malicious happening, and so that's something that we're really tackling as we go forward. So we're calling this universal account compromise or universal account takeover protection. So it's universal ATO is what we're calling it, and so it's the same account takeover detection logic that we're applying in your Microsoft 365 stack today. We're applying that same logic into all of these different SaaS applications. So we're going to deliver that here in the next couple of months and we're going to roll it out with 12 applications, initially SaaS apps, but we want to get to as many as 80 by the end of the year.

Speaker 3: 46:19

That's great, congratulations, yeah.

Speaker 2: 46:21

Yeah, it's an exciting time to be here, and these are the things that I saw three years ago, basically on a napkin. It might as well have been and it wasn't a napkin, it was a spreadsheet, but it might as well have been but these were the aspirational things that I saw three years ago that made me desperately want to come here and be a part of what they're doing and I think with the recent governance coming out of the EU, with how they're treating enterprise chat programs like Slack and Teams and they made Microsoft pull Teams out from a purchasing standpoint has to stand on its own now from an anti-competition standpoint.

Speaker 3: 47:06

Hopefully the same thing will happen with point solutions like email security. And if you want Defender for Office 365 P1 or P2, it will have to stand up against the SEGs and the tools like Abnormal and be priced and compete with them directly, versus the account rep just saying, oh no, that's bundled into your E5 subscription. You already get that, it's free. And I think if they do have to compete with their security products, we'll see even better products coming out of the industry because there'll be a ton more money coming in from an investment standpoint Because those office tools just can't stand up right. It'd be like if somebody was standing up their own Word program that wasn't open source. It'd be really hard to compete against Microsoft. But that's where the maturity is for Microsoft from a security tool perspective and it's really great to see companies like Abnormal come onto the scene with this innovation coming out of left field to really help with these areas where we just see so many threats coming in on a daily basis.

Speaker 2: 48:23

Yeah, absolutely.

Speaker 1: 48:24

To kind of sum it up, this might be an absurdly big question, but what do you see as the biggest threat to email security today, Mick, and maybe Eric, you?

Speaker 4: 48:33

can chime in on this? I was going to go ahead. Go on a minute, yeah. But you know, and can chime in on this, I was going to go ahead, yeah.

Speaker 1: 48:37

But you know, and just piggyback on that, what do teams or cybersecurity professionals, what should we be doing to stay on top of emerging threats? Because there's people that we often say you know, if these threat actors would just put all this ingenuity into you know altruistic virtue, you know ventures, it might actually make the world a better place, but we're constantly up against people using their creativity for nefarious reasons. So, in your opinion, can you speak to that and what it's going to look like, maybe five years down the road? Sure, yeah.

Speaker 2: 49:11

So I think that AI continues to be the biggest threat towards email in particular. I continue to see on I mean, every single day as it matures, it gets better and better. And so the idea that threat actors can now automate and send just 10x of what they ever could before with some rudimentary Python script or whatever that they might have been using in the past to create these fraudulent emails, these phishing messages going out. That's kind of where I see the biggest problem going in the future, and so defending against AI is really hard, and that's where I think we, as security professionals, need to be harnessing that same power of AI, so using AI for good to defend against the use of AI for bad. So I think that's going to be more and more pivotal going forward, and not just in email, but in all of our solutions. You know, you think about the way. What is ML great at? You know it's great at consuming just a ton of data and then finding that sort of thread of truth that runs through it all.

Speaker 1: 50:32

We'll leave it there. Well, thanks, Mick, for joining us today. Once again, you've been listening to the Audit presented by IT Audit Labs. I'm your producer, Joshua Schmidt. You've been joined today by Nick Mellum and Eric Brown and our guest Mick Leach from Abnormal. You can find us on all the streaming services. We have new episodes every other Monday. Find us on Spotify, Apple Music. Please like, share and subscribe and tell your friends, and we hope to see you soon.

Speaker 3: 50:57

You subscribe and tell your friends and we hope to see you soon. You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, or our security control assessments rank the level of maturity relative to the size of your organization, thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill. Topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.