How AI email security reduces the burden on human defenders

Dan Fein, Director of Email Security Products | Thursday April 29, 2021

When it comes to measuring the effectiveness of an email security solution, two criteria sit above the rest. First and foremost is the question of accuracy: does the solution consistently catch malicious emails, while allowing legitimate and non-threatening communication to pass through? Or in its simplest terms, does it stop the bad and allow the good?

Within this first criterion, decision-makers would be wise to consider two subtly different but equally important questions: does it really stop the bad (i.e. does it take meaningful action at the right time), and does it stop the really bad (i.e. does it catch not just the low-hanging fruit but also more advanced email threats that often bypass gateways, like trusted third-party impersonation attacks that can cost tens of thousands of dollars)?

The second factor is often not given due attention when considering Return on Investment (ROI): how much time and effort does the product require from your IT team? Cyber security should be an enabler for IT professionals and the business as a whole, yet in too many cases email tools inadvertently hold back legitimate traffic and tamper with mailflow, adding workload to human teams and disrupting business operations.

This blog explains how an AI-based approach to email security not only offers better accuracy and catch rates, but also dramatically reduces time-to-competency with a solution that self-learns and becomes effective almost immediately.

Times ahead

The majority of organizations continue to battle with traditional ‘secure’ email gateways, which not only miss advanced email attacks, but take up the precious time of IT security personnel, who can easily find themselves spending 20+ hours a week messing with PowerShell scripts, finding and removing malicious emails in inboxes, following up with employees, and making configuration changes to the tools. Those tedious, low-impact hours could be spent proactively improving security and staying on top of potential threats.

Now let’s look at how autonomous AI technology approaches email security. Antigena Email leverages unsupervised machine learning to learn ‘on the job’, identifying ‘normal’ behavior for every user and mailbox. Because of this self-learning approach, it adapts to long-term shifts in working practices without requiring any tuning, and it easily distinguishes malicious behaviour from simply abnormal. Antigena Email’s findings are flagged and presented in a manner which is easy for anyone to understand: whether that’s you, your new starter, or your executive team.

Antigena Email is designed so that you don’t need to browse lengthy manuals or memorize acronyms and bespoke terms. When an email security incident occurs it handles it quietly, with no impact to the wider business. In addition, it can automatically surface a simple, high-level incident narrative telling you in everyday language what you need to know, why the email was bad, and why Antigena Email took the action that it did.

Sun Apr 25 2021, 13:33:11
Urgent payment required
Steven Perlman <[email protected]>
Kate Wilson <[email protected]>
100%
Held
Out of Character
Solicitation
Suspicious Attachment
Known Correspondent
Hold message
Strip attachment
Anomaly Indicators

Multiple anomalies have combined to produce a behavioral shift score of 92% for this sender. Word patterns in the email were considered anomalous for the recipient. In addition, the email contains an attachment which appears anomalous based on their sending history, INVOICE-18239.pdf.

Text analysis of the email suggests there may be an attempt to solicit the user into making a bank transaction. A high inducement score was assigned based on this analysis.

The email exhibited an anomaly score of 100% and was held from the user’s inbox

Figure 1: Antigena Email incident report

Babysitting the gateway

Let’s go back to the gateway for a second. As we’ve discussed in previous blog posts, these tools rely on a series of reputation checks to identify malicious emails: they check each email in isolation, running the domain, the IP address, and any file hashes against a series of blacklists. However, cyber-criminals easily get round this by purchasing domains by the thousands – usually for just a few pennies each – and shortening their attack cycles. As they have never been seen before, new domains don’t have a reputation, so gateways must either risk missing novel attacks, or assume threat in every case and action hundreds or thousands of false positives every week.

For the security team, this means constantly having to monitor the technology and ‘release’ non-threatening emails that have been held back.

Furthermore, the gateway is hard coded to act in a certain way, so if there is a substantial and unforeseen change to the digital environment – a sudden transition to remote working, for instance – it will need to be reconfigured. In many cases, this can be a daunting and time-consuming task. With a series of checkboxes and toggles, without the proper training, an IT security employee is just one click away from dramatically changing mailflow across the organization.

IT teams regularly turn to Darktrace saying that they are overworked while talking about the queues of actioned emails that must be checked on a daily basis. Organizations assume that full protection necessitates aggressive policies and the associated manual effort which comes with them. In fact, it is the opposite: aggressive policies overburden IT teams, negatively impacting an organization’s security stature.

Figure 2: Screenshot of a ‘secure’ email gateway showcasing the many configuration settings of a typical gateway

AI email security: Set it and forget it

Contrast Figure 1 with the dangerous checkboxes above. In Figure 1, it is the AI, not the user, which does the back-end work. Every email is analyzed in the context of the sender, recipient, correspondence history, links, time of day, and a long list of other metrics. When millions of questions are being asked of the data, it would be impossible to try and program these or fully comprehend the level of interrogation.

“The product really is a set it and forget it type of solution that works seamlessly in the background.”
CTO, Government

When a threat is identified, rather than delivering broad-brush strokes, the AI actions a surgical and proportionate response according to the nature of the threat. The technology installs in minutes and that’s all the configuration and fine tuning it does: the system then continuously updates its understanding of the organization on an ongoing basis, without human intervention.

Why IT matters

We are facing an increasing cyber skills shortage, and even before the pandemic, security teams were often lean and understaffed. Dramatic changes to working practices brought about by the shift to remote working have placed even greater pressure on the SOC. Finding technologies that are not only accurate, but also offer the security team significant time savings, is more critical now than ever.

This is leading thousands of organizations to abandon their existing gateways in favor of a fundamentally different approach to email security, one in which it is the AI that does the heavy lifting, rather than overstretched IT teams.

Find out how AI caught a wide scale email compromise that Mimecast missed

Dan Fein

Based in New York, Dan is the Director of Product. He joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s world-leading Cyber AI Platform and products. Dan has a particular focus on Antigena Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.