Chapters
Shownotes Transcript
Hello, this is Caterin Campano. Welcome to another sponsored interview on the Risky Business News Podcast. Today, our guest is Josh Kamju, co-founder and CEO of Sublime Security.
Welcome, Josh. Hey, Catelyn. Thanks so much for having me. Josh, in December, Sublime launched a new feature named Attack Surface Reduction for email. The name seemed a little bit odd for me because the concept of attack surface reduction is something you hear from the network security folks. Do you mind giving us a rundown of how this works? What exactly you did here?
Yeah, yeah, absolutely. And you're absolutely right that attack surface reduction historically has been historically applied to other areas of security, not email. We've seen it on the
network in the network space. We've seen it on the endpoint space. And attack surface reduction, or ASR, is basically all about mitigating the ways an attacker can conduct a successful attack. And on the network space, like secure web gateways, we've had this concept for years. For example, blocking
or domains, access to domains that are newly registered within the last 14 days or within the last 30 days. We've also had this on the endpoint space for years and years and years. And it's like a critical part of just defense in depth. On the endpoint space, we've had...
this one concept called application allow listing. And it's, it's a, just a pretty effective way of just mitigating the ways an attacker conduct a successful attack, forcing them elsewhere, forcing them to do something else. And so we took this kind of philosophy and thought about how we could apply it to the email domain. So sublime is an email security company. We at, at the core, we, you know, we block, um,
Email attacks like BEC, malware credential phishing, the way we do that is really unique. So at the core, we've got this detection engine that we expose and we make completely transparent to our customers and the broader community. And so because we've got this transparent layer that you can use to describe attacker behavior, besides the core use case of blocking inbound email phishing,
We can also apply that to do many other things, things like threat hunting, things like automating triage and doing all kinds of stuff. And one in particular that we released recently was attack surface reduction. So it's applying the same concept to the email domain.
And it has been an incredibly effective way to prevent new variants of attacks. And I can give you a couple examples of how this works. So we've seen, if we laser in on a few specific attack types, for example, HTML smuggling. HTML smuggling is where an attacker will send a malicious HTML attachment or a link to a
a website that is hosting malicious content and the contents of that message are obfuscated over the wire, decoded or decrypted on the endpoint and then rendered locally on the user's machine. And so again,
Attackers are constantly coming up with new ways, new evasion mechanisms for delivering HTML smuggling attacks. And so one method, and this is something we do, is build detection for specific evasion mechanisms. And so we can see, hey, this looks suspicious because it's using the JavaScript unescape or maybe there is an encrypted blob or things like that.
And that works really well, but as attackers evolve and they create new techniques, you need to be resilient to that in some way. And so attack surface reduction, if you've got the ability to describe behavior in a really kind of complex way, you can do that with minimal false positives. So the way that we've operationalized this in Sublime, we provide out-of-the-box attack surface reduction detections, one of which is,
any HTML file from an unknown sender to your organization, someone that has never sent you a message before, someone you've never sent a message to them before. And you can combine that also with other signals like a
a low reputation domain, for example. This has been incredibly effective at mitigating new variants of attacks. And we've applied that same concept to many different attacker tactics and techniques. We apply that to new sender domains. You can't just block new sender domains
completely. And the reason new sender domains is interesting in the email environment is because on the network, you don't see those. It's not like a new link domain that you can block on your secure web gateway. It comes in through the email layer. And so you can't just block new sender domains outright. But if you can combine that, maybe you can actually, and we do afford you the ability to do that. But most folks can combine that with
specific behavior like new sender domain from an unknown sender, someone you've never sent message to.
And this was particularly effective when we had the, if you recall, Katalin, Microsoft introduced Mark of the Web. I don't know, at this point, it's maybe one or two years ago. And we started to see attackers move off of macro enabled payload delivery mechanisms. And we started to see them use OneNote files.
And they embed their malicious JavaScript or whatever to gain endpoint execution. So one of the things we did, we built a detection, obviously, for malicious OneNote files looking for specific signs of maliciousness. But we also released an attack surface reduction rule that said, if you receive a OneNote file,
from a sender domain that you've never communicated with before. Then you could either do one of a few things, fire off an alert, insert a warning banner, quarantine the message and give the security team time to review.
And so this is a highly effective concept to apply in email when you've got the right primitives to describe it. Because you can't just block all OneNote domains or all OneNote files, right? That would just be prohibitive to the business. But if you can do it in a way that minimizes false positives and doesn't impede
business, then it can be a really, really effective tool in your arsenal. This looks like a pretty complex engine that needs to run. Where does this work exactly? Is it a workstation client, a server model, Gmail add-on? Where does this work exactly? Yeah, so Sublime is entirely cloud-based. So we plug into the Google and Microsoft cloud APIs and
And we get mail in real time as it comes into the tenant. And so we can be running as far as how the deployment works. We can be running in our managed system
you know, our managed cloud. You can also deploy Sublime to your own cloud and you could even run it via Docker and it'll just go and pull the Google and Microsoft APIs. And I should mention also that the Docker and self-managed versions of Sublime are completely free to use in our core. We make most of Sublime free to the community. So you can use our core platform
for free. So you could actually run these right now. You can deploy it. You don't have to talk to us. You don't have to send us your email data. You can just deploy it and start using it.
I've seen you describe this feature in several talks and in a few places online. And as you describe it, it seems that the core part is something that you call the MQL engine or the message query language, which basically allows you to write detection rules. Who writes these rules? Do you have built-in filters for your customers? Could our customers also write and deploy their own?
Yeah, so Sublime, the Sublime team writes the core detection rules that you, that run when you spin Sublime up. So these are, these cover basically all the kind of attack surface that you would be worried about, right? Business email compromise, credential phishing, malware, ransomware, impersonations and all that. So many, many of our customers just use our core feed.
And they don't actually need to know anything or want to know anything about the underworkings of MQL and how it works. Now, part of the special sauce is that we also give...
our users and our customers access to the entirety of MQL. So that includes our natural language understanding model and our computer vision models and our sender behavioral detection models.
And on and on. And so that's kind of what part of the power of having this approach is you can have your cake and eat it too, basically. You can have a really strong story around just turn it on and you don't have to touch it.
With also the ability to build your own detections, customize, tailor things to your environment, create exceptions to mitigate false positives. So we give you the granularity to do that and the access to MQL to do that if you want to do that, if your team is interested in doing that. When you said natural processing language, am I misinterpreting this? Can the customer say...
or use natural language to write a filter? Or am I just... Yes, that's exactly right. So within MQL, you can call... So they don't have to know YAML or anything else? No, they don't have to know anything. Yeah. So they can call machine learning functions from within our DSL. So you can say something like,
And this is how a lot of our BEC detections work. A lot of our credential phishing detections work is it looks at the language that's used. And we have two, there's really, our NLU engine is made up of two parts. There's intent classification. And then there's named entity recognition, NER. Intent classification is,
basically tries to answer the question, what is the attacker's intent here? And we've trained maybe seven or eight intents today on various forms of attack intents. Those are business email compromise, credential phishing, stealing PII, callback phishing, and a few more. And
Each of those intents have been trained on thousands and thousands of malicious emails that resemble those attacks that use that language. So super powerful, primitive. And then the named entity recognition will parse text from anywhere in the message. It could be in the body of the message. It could be from the strings itself.
output extracted from a PDF. It could be from the OCR, optical character recognition output from an image. You can pass pretty much anything
any text into our NLU engine and it'll give you all the entities and the intents. And the entities are breaking down the text into various parts. And it's saying, okay, this is making a request. This specific word on this line is
this, you know, in this character is between this character and this character is requesting something. This is financial oriented, this has a sense of urgency. And so we can combine all of these signals to create really effective detections for various attack types. And obviously, the really cool thing is if you're the type of team that wants to kind of build on top of this, you have access to these primitives as well.
So you can detect emails from shady people asking you for money. Yeah, exactly. Exactly. Okay, so what happens when you have a message that triggers one of these rules? That they send an alert somewhere? Can you integrate it with a SIEM or other security tools? Yeah, yeah, exactly. So...
We give you granular control over what happens when a message is flagged. And you can do this based off of, for example, the severity of the alerts or the kind of quote unquote risk of the message and various other factors. And you can say, I want this to take one of X actions. And the actions that we make available in the platform today are, again,
send a just alert in the dashboard is one just, you know, passive alert. There's send a web hook. So send it, send the alert to a web hook. And that's what kicks off our SOAR integrations. A lot of our customers have these hooked up into a SOAR or, or a SIM through that mechanism as well. We can auto quarantine the message. So like, you know,
prevent this message, block this message. We can auto trash, move it to the user's trash folder. Auto quarantine will pull it completely out of the user's mailbox. So a lot of users will dig through their spam folder or their trash folder and just start clicking on stuff. So auto quarantine is like our most popular action. You can insert a warning banner. You can send a Slack alert. You can send an email alert. So there's like a lot of things that you can have happen when
an alert is fired. The fruit landscape is not the same across companies. Is there a particular industry where you see this being more useful than other places? Like, for example, we mentioned shady people asking for money. Is the financial sector your go-to place for sales? You know, it's funny. Every industry is affected by email attacks. And there are obviously some industries that conduct more of their business via email. And
have more of their business processes on email as well. So they might be more susceptible to attacks and others just might have a larger presence, which makes them like online presence, which makes them more susceptible to kind
Kind of mass phishing where you see a threat actor just conducting, just doing like online recon in OSINT in an automated fashion and parsing email addresses from like, you know, the internet or LinkedIn profiles and kind of guessing who to attack. So we see these campaigns happen across all industries from finance to retail, insurance. It pretty much affects everyone.
Obviously, we said at the beginning of the show, this is a novel concept. Have you gotten any feedback from customers? Or is this the case? They're not saying anything there, so they're most likely happy with it. We have gotten a ton of feedback on this in particular.
And it's all been extremely positive. Like typically the reaction we get is why hasn't this been done sooner? It just makes complete sense that we would apply this sort of thinking that we've had in other areas of security to the email domain. Okay, Josh, I think that's the perfect way to end it. Positive feedback from customers is the best way to end it. Love it. Josh, thank you for your time today. Thank you.
