Phishing threats are constantly morphing at scale and the vast majority of businesses simply don’t have the time, money, and resources to investigate each and every suspicious email as quickly as phishing mitigation demands.
In fact, 67% of organizations take 6-20 minutes or longer to identify and remove a single phishing email, according to Osterman Research. This timeframe from identification to remediation is staggering when considering that employees engage with phishing emails in 82 seconds or less.
Today, around 350,00 new malware variants are discovered every day and attackers are constantly improving their tools and techniques. As a result, traditional approaches to phishing incident response and solutions like secure email gateways (SEGs)are becoming powerless.
That’s because such tools rely on scripts and rules, which, are no match for the volume and magnitude of modern email attacks.
For perspective, by the time a security analyst writes a rule, it is likely already redundant, and the odds are that at least one employee has already clicked on the phishing email.
Mitigating The Vulnerabilities of Siloed Email Security Controls
It is widely accepted that roughly 90% of all cyberattacks begin with email phishing. This is largely because attackers continue to find new ways to defeat both human and technological controls, especially when collaboration between humans and machines is absent or infrequent.
To mitigate the inherent vulnerabilities of siloed human and machine anti-phishing approaches, a new type of email security that combines machine learning, artificial intelligence, and human crowdsourcing is gaining traction.
Known as self-learning email security, this evolution of anti-phishing technology applies a reinforced learning paradigm that blocks, monitors, and responds to email phishing attacks in real-time.
In a self-learning architecture, the blocking component acts as a filtering layer, attempting to stop attacks before they morph into major security events. The monitoring component constantly reinforces the blocking component by looking for filtering errors, which occur when an email was originally allowed to enter an inbox before subsequent layers determine that the message must be removed.
The response component then informs the learning algorithms of the mistake so that such an error will never happen again.
This reinforced learning paradigm also makes it possible to predict what the next attack is likely to look like. In this scenario, a prediction is possible because the model learns what the malicious message looks like in all its forms; thus it can project future variations with accuracy. This is important when considering that 42% of phishing attacks are polymorphic.
How Self-Learning Email Security Works
Unlike legacy email security, self-learning email security gets smarter in real-time based on both human and machine actions. In doing so, no gaps in time exist between learning of trending phishing attacks and the technology’s ability to prevent, detect, and respond.
There are four essentials inherent to a successful self-learning email security tool. These include:
Accurate and recent data is essential, and machines cannot be trained on bad or biased data. On the same note, the data must be captured as close to the event(s) as possible, as fixing today’s problems cannot be reliant on yesterday’s data. The key here is to
start at the individual mailbox-level (or thousands of them) and feed data into a machine learning model.
When combined with meta-data, it is possible for machines to learn what is good and what is bad.
Both humans and technology need to quickly and as accurately help machines understand if they have failed so that the system can quickly be retrained on its errors. The reinforcement process of real-time data is the heart of a self-learning solution.
Drawing a clear line between good and bad emails is not easy, but if you have a good source of data then you are off to a good start. Machines help find and cluster similarities in phishing emails and known attacks at scale. This prevents broader polymorphic attacks or campaigns from going undetected and wasting security analysts’ time and resources, allowing automation to be applied to repetitive tasks.
Closing the Loop
Providing machines with real-time and continuous feedback on all newly learned data is a critical element for a self-learning platform. In fact, the self-learning model continuously learns from multiple sources, both internal and external and human and machine, in order to adapt and get smarter at predicting, preventing, detecting, and responding to phishing attacks in real-time.
It’s easiest to envision the concept of self-learning email security through the prism of redundancies. That is, if one control fails to identify a malicious email, then other human and technical controls are invoked as a backstop. But how can we ensure that the layer which missed the malicious email in the first place doesn’t miss it again?
That’s the beauty of humans and machines working together. With such collaboration, the risk of one layer failing to identify the same phishing attack on more than one occasion is greatly reduced because this layer is now learning from its counterparts.
Overall, this continuous cycle of reinforced learning makes it possible for organizations to defend their email infrastructure against modern phishing attacks quicker than it takes an employee to inadvertently click on the malicious message.
And, in today’s prolific email threat landscape, the accuracy, expediency and scrupulousness in risk mitigation cannot be overlooked.