Norman McKeown, LSH Auto UK on BitDam Office365 Email, OneDrive and MS Teams
Norman McKeown, LSH Auto UK on BitDam Office365 email, OneDrive and MS Teams
We’ve interviewed Norman McKeown, LSH Auto UK Head of Information Technology about his experience with BitDam’s Advanced Threat Protection (ATP). LSH Auto is the largest Mercedes Benz dealerships in the UK.
Here is the result in video and text:
Q: How did the COVID-19 pandemic present new challenges for LSH Auto? Collaborating digitally was maybe not as big a piece of the puzzle previously?
A: Yeah. COVID-19, I think for a lot of organizations, certainly ours, came out of the blue and came on very quickly. Being an automobile organization, a car company, we are quite old-fashioned in the way we do a lot of things. Digital collaboration, remote working, was not normal practice for our business. When COVID-19 hit we had to figure out how can we keep certain areas of the business trading whilst working remotely? It was a whole new level of collaboration, a whole new level of data protection. A whole new level of information transfer that we had not previously done as an organization or indeed as an industry before. The biggest challenge was how could we quickly convert to that mode of working while still keeping our systems secure, keeping our users secure, and as I say, keeping our customers’ information secure. It was a very, very quick and rapid change of use of technology for us as a group.
Q: As you were evaluating potential solutions, why did LSH Auto ultimately decide to invest in BitDam?
A: BitDam came to my attention as a relatively new organization. But their approach to, initially email security, which was the first area I was looking at, was a very different approach to what I’d seen with some of the other ATP companies that I was dealing with. The big wins for me was their ease of integration. Setting it up couldn’t have been simpler. I didn’t have to change my users where I was working. They carry on working as normal. But also the ability to react whenever new threats came out. The ability to react and ensure that we were protected against those threats was one of the biggest wins for me that meant I didn’t have to think about speaking to my ATP company to say, “This new threat is available, can you help protect us against it?” BitDam were already ahead of the curve and quite often protecting me before I’d even had a chance to talk to them about it.
Q: Now moving on to more of the results that you see now that you’re partnering with BitDam. From a high level, what are the results been? What does BitDam enable for LSH Auto?
A: Since we’ve implemented BitDam, we’ve seen a significant drop in the number of phishing emails and rogue emails that have come into our system, into our users’ inboxes. For me, with a very small IT department to support the group, it’s great having BitDam on board because by the time we’ve received the notification, we know that this batch has already been dealt with and handled and it’s an awareness notification for us. Seeing what has made through our first level of defense and having BitDam as our second level of defense and since expanded from just the email into OneDrive, into Teams, into SmartLink scanning, means that I know my users are secure and that very, very little rogue data gets through us to my users’ inbox. That has made my life a lot easier, of almost not having to think about it from that respect.
Q: What would you say the number one biggest benefit of BitDam has been??
A: I’d say the ease of deployment has to be the biggest win for me as head of IT and for us as an organization. Looking at solutions that would involve changing the way users operate, there’s a human element in that. Where they risk forgetting to use the secure route. Forgetting to click on the secure button. With BitDam, we were able to deploy it centrally from the IT division in a very quick period of time. Our users carry on as they normally do. They don’t have to think about it. They don’t have to think about system security. It just integrates seamlessly with Office 365 platform and scans everything in the background. Definitely for us, one of the biggest wins is we could roll it out with essentially no user training.
Q: How does BitDam, for OneDrive and Teams, helped you to address some of those challenges that you spoke of earlier with collaborating remotely?
A: We’ve originally deployed BitDam against our email client, we’ve since expanded the protection to cover our OneDrive and our Teams portions of Office 365. This was actually done prior to COVID, really causing an issue in the UK. But for us it meant we were in a really strong position to bring the company into a digital world and digital collaboration. It meant we could securely share business information, financial information, customer information. Knowing that we had this level of protection in our system, that should any attack try to come in, we had this level of protection that could stop that from compromising our data and ultimately compromising our customers’ information. It made life an awful lot easier for us moving to the new world of remote working.
Q: Has BitDam ATP caught threats that have been missed by Microsoft Office ATP?
A: One of the reasons why I wanted to look for an additional ATP program was I was seeing a number of threats coming through our Microsoft Office ATP program. Whilst it was picking up a large number, I still had a significant number of threats coming through and reaching the users’ mailboxes. Some of which were easy to spot, some, even for me as a seasoned professional in IT, took quite a bit of analysis to determine, was it a phishing email or was it a genuine one? Once we introduced the BitDam platform as a second line of defense, we then noticed that those that were coming through and bypassing the Microsoft ATP were then being picked up by the BitDam platform and stopping reaching our end users’ mailboxes and our end users’ OneDrives, which really give us that extra added level of security that we were looking for.
Our researchers recently observed a new trend in phishing email campaigns that is worth sharing here. We all know how almost 20% of the phishing emails out there are faking Microsoft login pages, aiming to steal Office 365 credentials. Some of you may even be careful when getting an email that links to a Microsoft login webpage, suspecting it might be a phishing scam. You’re definitely right about this one! But, would you ever suspect a Microsoft login page that uses your corporate logo, branding and URL? This is what hackers started doing recently, to fool both end-users and email security engines.
The New Way of Stealing Office 365 Credentials
Traditionally, phishing attacks that lure users into entering their Microsoft credentials use fake generic O365 login-pages with a Microsoft logo that look like this one:
The new method includes the following elements that, together, make it almost impossible to notice that this is not the real brand’s login page:
1. The targeted organization’s logo. The organization’s logo is injected into the O365 login page. Not only that this helps the fake page look more real to users, it also makes it harder for phishing detection engines that are based on reputation or image analysis to detect it. The fake login page would look like this:
2. The targeted organization’s domain URL in the link the user sees (it will later on redirect to the phishing URL). The majority of phishing attacks use an original URL that redirects to the malicious URL. This is done as a basic technique to bypass phishing detection engines as well as suspicious users. In these tailored attacks, the hackers use the organization’s name in an original URL so it contains the domain name of the targeted organization. As you can see in the screenshot, they typically insert the victim’s organization name in the beginning of the URL so that’s what the users see when they hover over the link or click it. This way, they are less likely to think it is ungenuine.
3. The target organization’s branding or look and feel in the background. In case the two techniques that I described above are not convincing enough, some attackers take it to the next level and use a background that fits the victim’s branding. This could be some kind of an image or a branded background that is available online.
4-fold Increase in The Prevalence of Such Attacks
In the past couple of months, we noticed a dramatic increase in the prevalence of these attacks among BitDam customers. In fact, the prevalence of such attacks in August was more than 400% of the prevalence in July. The trend continued in September with an additional slight increase and keeps going on as I write this post. This implies that these campaigns use some kind of automated tools that were published recently.
We detected these tailored Office 365 phishing attacks in organizations of all sizes, including both small businesses of a few dozens of users and large corporates. This strengthens our assumption that faking these login pages is automated and that there are new phishing kits that allow using the above techniques easily.
The emails that lure victims into clicking the link that would take them to their Office 365 account vary as well. Many of them include a notification saying that there is a voice message waiting for them, some use the excuse of Office 365 password expiration, some say that you’ve failed to receive a message from tax authorities and so on. If victims take the bait and click the link, they are then redirected to what looks like their organization’s Office 365 login page but is actually a phishing page aiming to steal their credentials.
Phishing scammers’ lives are much easier these days. In the past, bad actors had to work hard in order to build such a customized phishing attack, and these were typically saved for the big fish. Nowadays, all they need is to search online for the newest toolkits and they can spray it all over.
Unfortunately, this makes the lives of both the organizations aiming to protect their employees and assets, and the security vendors that help them doing so, much more difficult. In order to protect from such threats, as well as other emerging phishing techniques, organizations need to make sure their email security can protect from any phishing attack and technique, even the ones that are yet not known or commonly used. In these cases, reputation-based security solutions or the ones based on signatures, would not help, as these attacks are customised per organization and can’t be updated at the needed pace. Thanks to its unique attack-agnostic approach, BitDam ATP detected these threats at first encounter, when they’ve just emerged and without any changes to its detection mechanism.
While BitDam ATP identified these phishing attacks and blocked them before they reached the users’ mailboxes, the phishing method described in this post is going below the radar of most Advanced Threat Protection solutions, including Microsoft’s Office ATP. I recommend testing your email security against these attacks as well as others to better understand your security posture. You may do this using Breach & Attack Simulation tools such as BitDam Lucky Meter.
Traditional Breach And Attack Simulation Is Outdated – Here’s Why
Just glancing at the headlines, it’s easy to see that phishing, fraud, and ransomware campaigns are on the rise. This has been driven by numerous factors, including the availability of “phishing kits” available for purchase on the dark web. Malicious actors are getting more sophisticated and are targeting companies of all sizes and in any industry. So how do you keep your organization safe?
Assessing Strengths and Weaknesses
A great place to start is with understanding your current security posture. Where are your weaknesses? What areas need to be shored up? Finding and evaluating your gaps and vulnerabilities is the first step in keeping your data, users, and network safe. Running tests – including an email security test, malware test, and phishing test – is an important way to gain insights into your vulnerabilities.
Pen Testing to Find Answers
This is where pen testing (penetration testing) is often used. Generally speaking, pen testing comprises a single test that is built from artificial attack samples.
However, this approach has a number of drawbacks. Artificial attacks just do not provide the same assurance or insights as the real thing. Your current architecture might cope just fine with artificial incursions but might fail when it comes to the real thing.
Pen testing is therefore increasingly being replaced by Breach and Attack Simulation (BAS) tools.
Breach and Attack Simulation (BAS)
BAS tools provide an ongoing evaluation of your organization’s security posture. The promise of BAS was enticing: the ability to simulate real attacks that are updated based on attack trends and threat popularity. This has led to a market for BAS tools that is growing rapidly.
As great as BAS is, there remains a difficulty – one that could mean the difference between successfully thwarting a cyber attack, or falling victim to such an attack.
BAS solutions still use artificial attacks, and thus cannot effectively tell you how your security stack will deal with a real-world, live threat. Threats are simulated based on those seen in the wild, but by definition these are still simulated, a reflection of the real attack.
Preparing for the next threat
There is a dangerous time lag from when a new attack is released until it is incorporated into BAS solutions. With malicious actors constantly changing tactics – including automating threats to mutate and evade security solutions – ideally, you would want to test your system against real attacks, those seen in the wild in real-time. Knowing that your organization’s security posture can deal with yesterday’s attacks just doesn’t cut it anymore.
A key challenge is that risk is highest when a threat or a new attack technique is released for the first time, before your security solutions have come to recognize and deal with the threat. By this time, new threats will already be targeting your organization. It’s an issue of speed, and tools that can give you answers in real-time about how you’re dealing with the latest threats are critical.
There’s an acute need for vulnerability assessment tools that use real, live threats – rather than old or simulated ones.
With BAS 2.0, BitDam has launched its new generation of BAS solutions that are the answer organizations have been looking for.
Take BitDam Lucky Meter, or BAS2.0. Lucky Meter uses the freshest in-the-wild malware and phishing threats to continuously test your email defenses, empowering you to assess your organization’s defenses against malware – in real-time. The ability to run an email security test, malware test, or phishing test using real and ongoing attacks is priceless.
BitDam Lucky Meter sends real attacks of all types from the wild, as they materialize. This is done constantly while ensuring the testing is non-intrusive. BitDam Lucky Meter offers a continuously updated dashboard showing which threats bypassed your current security and which were blocked. Critically, it also shows the amount of time your system was exposed to each threat – the Time To Detect or TTD – which is often a more important indicator than the miss rate or rate of detection.
In summary, we’ve moved from Pentesting to BAS, and finally to the real thing: a way to continuously assess your security against the latest attacks seen in the wild, in real-time.
Aiming to decrease the chances of being detected and gaining more time before their phishing scam is exposed and blocked by response organizations, attackers use multiple evasion techniques. And they continue to be creative about it!
Tracking these techniques closely, we see a variety of them. Here are a few evasion techniques that help phishing attacks bypass security solutions:
Mobile only – The link directs to the malicious webpage only if browsing from mobile devices, leveraging the fact that mobile devices are less secure than desktops and that users may pay less attention when browsing from their mobile.
Timers before redirecting – the attack waits a few seconds before redirecting to the malicious link in order to evade security solutions that run for a limited timeframe.
Button automation – the redirection to the malicious page is done only following clicking a button which verifies that the user is a real person. Security solutions don’t click it and therefore don’t “get to see” the malicious page and can’t detect the link as malicious.
Captcha defender – just like the simple button automation, the victim is redirected to the malicious URL only after clicking a captcha or a reCAPTCHA and being identified as a real person. Here again – if the security tool can’t access the malicious page, it definitely can’t detect it as malicious.
These techniques and others reduce security solutions’ effectiveness making it almost impossible to prevent phishing attacks.
Evade with a click of a captcha
In the past couple of weeks our researchers identified a drastic increase in the number of attacks using a captcha defender to go through security tools. And guess what, these phishing attacks indeed bypassed leading Secure Email Gateway (SEG) solutions and even Advanced Threat Protection products including Office ATP and Proofpoint TAP.
The prevalence of this technique seen among BitDam’s customers grew by hundreds of percentages in the past couple of weeks, compared to the previous two weeks. Scanning all attacks from various feeds, we’ve observed the same trend in these feeds as well, driving us to the conclusion that this was added to popular phishing kits.
It starts with what seems like an innocent email. Here is one example for a subject line: “New Sharedfile Received for BRAND“. Opening the email, it looks like the email contains several attachments and the user is requested to click a button to view them saying “BRAND uses Outlook Files to share documents securely”. Clicking it would lead to a captcha page that looks like this:
The next page would be the actual phishing URL. For example:
By now, you are probably wondering how common this technique is and who are the target victims. So…it is more common than you would imagine. We saw it targeting most of our customers which range from small and medium businesses to enterprises with many thousands of users from various industries and locations. This evasion technique was used in phishing attempts in Europe, North America and The Middle East. The attacks were almost always delivered via email.
Perhaps the most interesting thing about the attacks that BitDam prevented among its customer base was that all of them were leading to fake Microsoft login pages. As you can see in these screenshots, they varied in their graphics, but Microsoft remains the number one target with hackers desiring to steal Microsoft user credentials.
What can we do about it?
Assuming you don’t want to be the next victim, I would start by checking if your email security vendor detects such attacks. You can simply register to BitDam Lucky Meter which will send you the most recent phishing (and malware) attacks as soon as they are released to the wild, and provide you with a simple dashboard so you can easily know what bypassed your current email security. BTW – it’s totally free.
Of course, you should never enter your credentials to unknown websites, but that tip is pretty outdated. Everyone knows they shouldn’t click suspicious links but somehow there are more successful phishing scams every day. This means someone does click them, right?
However, if you do come across a URL that you aren’t sure about and would like to scan for phishing before going on, you can always use this online phishing scanner that will give you a verdict in no time, letting you know if the link is a phishing scam.
CISOs Panel Discussion: Securing Remote Collaboration During a Pandemic
Liron Barak, CEO of BitDam interviews three CISOs from across the globe in this unique panel discussion. A common theme between all of our panelists is how to face the ‘new normal’ of remote working with the rise of cyber threats. These security experts dive into their organizations’ plans of attack on how to become quick and effective adaptors to these new security challenges. Read the transcript below!
LB: Good morning and good afternoon! Thank you for joining the panel discussion on securing remote collaboration during the pandemic. My name is Liron Barak. I’m the CEO and Co-founder at BitDam, but I’m the least interesting person here. Today we have three special guests that I’m honored to host.
We have Michael Sherwood the Chief Innovation Officer at the city of Las Vegas joining us from Nevada. We also have Norman McKeown, the Head of IT at LSH Auto UK Limited, the UK’s leading Mercedes Benz retailer with over 143 Mercedes Benz dealerships, worldwide, and last but not least Daniel Baird who is the Group Head of IT of Graham’s Family Dairy, all the way from Scotland.
Welcome guys! Thanks for joining us for this session. We’re planning to have an open conversation today talking about what it’s like to be in charge of IT security when things are crazy, everywhere, but especially when it comes to IT and cybersecurity. Let’s start off with a little bit about the background of each of you and the organization you represent. Daniel why don’t we start with you.
DB: Yes, I’m the Group Head of IT at Graham’s Family Dairy. We’re a family run business, operating since 1939, supplying milk, cream, ice cream and butter, to over 7,000 customers UK wide and internationally. I’ve been in the role here for approximately five years and looking after everything from IT Security through two to one connectivity in ERP solutions. So it’s a busy job. Prior to Graham’s, I was Managing Director of an MSP doing cloud consultancy primarily and Office365 consultancy. I’ve become a bit of the gamekeeper turned poacher.
NM: I’m Norman McKeown the Head of IT for LSH Auto in the UK. We are one of the largest Mercedes dealer groups locally, I’ve been lucky enough to do this role for about four years, touching pretty much anything I cable touches from to infrastructure, to telephony, to CCTV systems all falling under my role. It’s been a whirlwind since we launched the company in the UK. Prior to that, I did a short stint at the Siemens Power Generation Services and before that I was over 17 years at PSA. I’ve worked on the manufacturer side of automotive; I’m gatekeeper turned poacher, having now moved onto the retail and dealer side. So it’s been a good four years and plenty more to keep me busy.
MS: I guess I’ll go now. I’m Michael Sherwood, the Chief Innovation Officer for the City of Las Vegas. I don’t think any introduction needs to be done for Las Vegas, we’re an entertainment destination where you come to have fun. I’ve been here for roughly five years, like many of the other individuals on the call I oversee everything from cable infrastructure, CCTV, all basic systems. Anything technology based or that plugs into a wall for the most part falls under our purview. I’m very proud to work here. Very happy to be in this community in the great state of Nevada and it’s an honor to be here with all of you today with such esteemed colleagues. When it comes down to it security and protecting our digital assets is our number one priority. Now as more and more of the city in the community relies on technology, protecting those assets becomes increasingly important.
LB: Thank you guys. Why don’t we start with some tough questions? It will be interesting to hear what were your top information security challenges during the pandemic?
NM: I would say the automotive industry certainly in the UK was one of the more challenging divisions that had to move to remote working at home. It’s not something we traditionally do in the car industry. People come in and they want to walk in, touch the metal and buy the cars. So whilst the majority of our industry is shut down, we kept two facilities open for key workers.
During the lockdown in the UK, our biggest challenge was twofold. It was taking a predominantly paper based business and I’m moving it digitally and electronically while doing that securely and quickly, and also getting users who have never worked from home in their life before to understand the unique differences and challenges. Whilst it may appear that they’re sitting at their desk in the office because of the access we gave to them there are some unique considerations to take into account and some simple things from, ‘I don’t have the scanner right next to me’, to remembering to ensure that their VPN is running, their security is up, that we’re not constantly there nagging them. That was a big challenge for most part, we’ve taken a very legacy industry and bring it to the 21st century very rapidly.
DB: Well, I liked the fact that you think that the car industry is a legacy industry and milking cows is pretty old school as well. We are certainly a very paper based culture and that can pose a lot of challenges. I think we’re probably slightly different from a lot of companies that have been affected with the current situation. Our sales have gone up and we’ve had, and financially we’ve had three or four very strong months. That’s a change in people’s behavior and the way we’re doing sales. While we lost about 3,000 customers, as soon as the lock down hit. The demand for milk went from people buying a latte in Costa Coffee to buying a lot of milk for the house, increasing it in what we call doorstep sales. Sort of traditional milkman sales, and another which are higher margins to do business with a supermarket because it’s in bulk. It’s great! Not as much logistics and customer service with the doorstep piece, plus it’s much higher margins.
We had to obviously move as many people home as possible to shut down the offices while keeping them working at 100%. We had some challenges around paper based solutions and certainly things like scanning, as Norman mentioned, people asking to take scanners home, even though the tracking of what people were taking home was a challenge in the first couple of weeks. We were getting phone calls, like, “Is it okay if I take my desk chair home?”.
Then we had a challenge around hardware as being a very traditional business. We had a lot of physical desktops, very few laptops. We were trying to send people home, but we’re unable to source corporate laptops. So we had to do a lot of BYOD type things, getting people up and running on their own systems from home. How can we secure that access? Can we give them access to the company shared drives into VPNs on personal devices and how do we protect that? For me was the biggest security concern to begin with.
MS: It was very much the same, along with the lines of my esteemed colleagues here. It was shifting, roughly 3,000 people from coming into physical offices and moving them to their home locations. Obviously shortages of equipment, laptops and so forth, but going to a complete remote infrastructure. We were really privileged that some of the tools we already had were in place, like Azure and other types of remote connectivity. This really helped and benefited us to get moving. The other issues we still had to maintain staffing levels at our facilities. Having staff and getting them prepared up with PPE or protective equipment and still be able to operate.
The hardest part which we learned through this pandemic is just the user education we need to do. Just basic security education, basic overall computer skills, which we take for granted in our department where the technology department, most of us are familiar with it. Then adopting to workers can’t come down to our office or can’t work with us and can only talk to us over the phone. Trying to explain what cable goes, where and how to make these things work. So we came up with some really ingenious ideas, basically took ideas from YouTube and TedTalks and made little videos and then sent those out to employees to help bridge that digital divide. It’s something we’re going to work on going forward. Other than that, the biggest issue was security access to data and how that’s going to move around in this new age of a decentralized work environment.
LB: Did you specifically regarding information security, did your information security toolbox narrow or broaden or change in the past few months? Why did you or didn’t?
MS: For us, we were compromised and we used the word compromised in January, right before COVID. Basically we took a lot of measures, so we were kind of ahead of the curve based on that incident. Obviously, part of that was adding more monitoring tools and a harder look at our infrastructure. We reemphasized focus on how we managed cybersecurity, not just internally, but across the organization…especially passwords. Part of that I was implementing a two factor system, which wasn’t popular at the time. With COVID it was a great opportunity to have those types of systems in place. It hasn’t been as hard to get executives to provide investments into cyber cybersecurity based on the compromise that we had in late January. Now with COVID, security’s been on the minds of everybody. Getting tools was not as difficult to implement as it was to getting users to understand them was the greater long term challenge.
NM: We’ve very similar. We lucked out in that we had the same issues as both Michael and Daniel have mentioned in terms of shortage of hardware. I think I found one supplier that could supply me with laptops, but it was on a five week lead time; and when I was shutting the business down in three days that was not good. We were actually in the middle of an infrastructure change when COVID hit the UK; a data center change, VPN service change, network change. We were right in the last six weeks of that before the lockdown. Very much as Michael has mentioned, the biggest challenge we have was around users. We did some videos as well, some video voiceovers and our biggest implementation was bringing forward multifactor authentication. We had a user compromised that we luckily caught within five minutes of the compromise. So there was no risk to the business. There was no leakage of data. We caught it very quickly and shut that account down. The hardest bit was getting the users to read the instructions on how to set it up once they’re up and running. We had a partner who worked with us very well and really understood what we were trying to achieve. That was a big bonus that ensured we were secure during the whole change of moving terabytes of data between data centers in the middle of this pandemic.
It was having a really good partner who understood our business and our organization. Then again, having the backing of the executive coordinator to put in the extra layer of security. Again, as Michael said, there wasn’t a long conversation around the implementation. Often it was “Yep. We need this, let’s get it done. And let’s get it done efficiently.”.
DB: I think we were quite lucky. We already had the bulk of our services in the cloud. We’d already implemented multifactor for a number of years, but we had multifactor only enabled, we only allowed certain people to access services out with our opposites. And then all of a sudden it’s that bulk enrollments of users into MFAs, the infrastructure was all there, but that pain of actually getting the users to follow the instructions was challenging. You also have the personal information piece around that.
We don’t have company mobile phones out without people saying, “You need to put your mobile phone number in here, but I don’t want you to have my mobile phone numbers.”. It’s not for anything other than helping you secure your account. I’m getting that piece, which was quite challenging, but COVID became quite a good stick to beat people with around a lot of IT projects. Things like the migration of documents to SharePoint and user adoption within MS Teams, things like that. These are all technologies we already had, but we weren’t using them anywhere near enough. We used this as an excuse to rapidly do it and that works in our favor, I think.
LB: You all talked about your entire organization working from home and discounts, along with a variety of challenges. It will be interesting for me and for us, to understand if it was the pandemic that caused your organization to use more collaboration tools, such as OneDrive, MS Teams, Zoom and others? And if so, how do you ensure that your enterprise collaboration platforms are actually protected?
DB: I said before, I think we were already using a lot of these technologies and they were already in place, but underutilized and getting the user adoption piece up and running was key for that. We haven’t invested in any new technology and we’re not doing anything that we couldn’t do before. We’re just doing more of it. Having people dialing in from BYOD devices onto legacy shared drives was a security challenge. But if we thought moving these things into OneDrive, they become a bit more secure, especially because that’s being protected by BitDam.
So we’ve got that protection there at the service side, as well as on the client side and that has made me sleep easier at night.
NM: I think we’re in a similar position where we’ve been obviously O365 since we launched in 2016, but I think outside of the IT Department, probably Skype for business was the only there any collaboration tool and that was used by maybe a seventh of the organization. We’d been pushing MS Teams and making the information available saying it’s really useful. There was a little bit, we were just starting to gain traction. Then suddenly we made a business decision where our business is spread between two areas, the Birmingham and Manchester market areas in the UK. Before lockdown, we took a decision to reduce traveling. So one of the first meetings we converted to online, was we’re meeting with our senior management and our general managers who run each facility. We ran it through MS Teams and instead of it being an all day 9 to 6 meeting with traveling too. We had the entire agenda covered by 3pm and people saying, “This is fantastic. Why haven’t we done this before?’. So I think from the IT Department point of view, it’s a feather in our cap. As Daniel has said, we have our OneDrive, email, our MS Teams all protected by BitDam.
With what I’ve seen since I started using BitDam last year, I know if there’s something that does creep in it will be picked up like that. And then we can react if and when we need to so it’s been a real opportunity to showcase what IT departments are not just there to be there if and when things are broken. We can bring real value add in terms of collaboration, but secure collaboration with the business and not having people’s stories and things here, there, and everywhere, which is out of control.
MS: I agree with Norman, it’s basically you got to have the right tools, BitDam’s been our go to tool for all of our Office365 offerings, which is our mainstay for how we do remote work in the city. The other area that we’ve really lacked is the cybersecurity team on our side, getting them educated and trained on how to use the tools and when working remotely where they’re not sitting next to each other, being able to share information and talk about working in a remote environment. It’s almost like what we’re doing at your meeting. It’s a different environment to be able to work through issues and still collaborate with our infrastructure team and with our desktop team. So that’s been a challenge, but overall it’s having solid tools in place, like BitDam that’s really made the difference for us in feeling comfortable with deploying all these remote services.
It’s not a normal thing for us. We’re very used to coming to the building, use our technology in our facilities, other than getting an email on your phone, there was very little getting service access to our internal environment. That just wasn’t the way government worked, but it’s changing. It’s changed in days and weeks rather than years, but having solid tools is really what saves the day.
LB: Thank you guys. We hear a lot about threats that are being sent to organizations today. A lot of organizations that get ransomware or another big data breach because of the pandemic. It would be interesting to hear from you because you have a lot of experience in this field. How do you explain the fact that organizations have so many malware protection solutions in place yet there are still so many successful cyber attacks? It would be interesting if you can share if your organization’s experienced more cyber attacks during the pandemic and if those attacks were sent through a certain channel or through different channels. It would be great to hear from what you experienced during the last few months.
NM: I think our biggest increase of these came through phishing emails. Since March that has gone through the way and certainly for us as an organization I think the cybercriminals have tried to take the opportunity to exploit the fact that we are not working together in the same office. Being that we do a lot of transactions, people buying Mercedes Benz vehicles and they are quite a sizable investment. We’ve certainly seen an uptick in malicious attachments and credential harvesting attacks coming into the business or attempting to come into the business. As you mentioned, there are so many cyber security tools and the way I explain it to the board is it’s a bit like car security. We have to invent new technology for the cars that we sell. Criminals will find a way to exploit that. So we then event more security and it’s a constant game of cat and mouse.
Every time we close a loophole in cyber security, they inevitably try and find another route in, and because we are in such a connected world now, I go back to the early days of my career when I first put corporate WiFi. Back then I was told it’s not critical if it goes down, fix it when you can. Within two months as soon as it went down, the MD was on the phone, shouting at me wanting it back up and running again. People are so used to it. We’re so used to being able to access things easily. Which is weird, but the side effect is that they’ve given easy access, giving more weight into security. Having a suite of security tools means you’ve got more chance of catching it, then trying another route if you only have your standard spam filtering, email protection. Even with the market leading protections, you need to have a number of those to keep going in line and just try and keep locking them out of your systems.
DB: I think Norman’s absolutely right. I think that the multi tiered approach is critical. In an industry where the Chairman of the company is a farmer it’s challenging to get him to lock his computer and say you can’t just have one password as your password. You must lock your computer and no, you can’t just click on everything.
These are the challenges that we have that goes back to that user piece. As an IT department, we’ve got to protect users as much as possible. Putting in BitDam alongside other tools gives us that multi tiered approach. That’s one of the reasons I liked the way BitDam approached the email security piece is the way it interfaces with Office365 it sits inside the mailboxes. Therefore, we can have perimeter security protection and we can have mailbox security protection. That’s what I really liked about it.
As was for an increase in attacks, our reporting says we have a bit more attacks. We’ve not had a huge amount more through to the mailboxes of users, but certainly the stats are showing that more are being attempted.
MS: Definitely attacks are on the rise. I mean our name Las Vegas, every time we’re in the newspaper or something, attacks rise up. There’s been a lot of press today, some of the casinos are laying off a lot of individuals, so the attack vector or attack surface rises because we’re in the news. To Daniel’s comment, having a layered approach, multiple tools and using BitDam as our main tool, most of our attacks come through email, the old fashioned way through phishing.
Again, I go back to user education, user education, user education! Most of them are very plain to see in the world we live in today. For example, I got this email from the mayor. I look at it and the email address is nowhere near what the mayor’s email address is, but they’re so focused on it looks like it’s from the mayor. They don’t look at the email address and immediately start responding to these individuals. To me the key is education as well, the tools have been fabulous. We haven’t had any issues and the layered approach is working. It’s the education of our users, which is most important. Phishing continues to be the most problemsome issue within our organization.
LB: I agree. It seems like from all of our customers we see a lot of phishing. So what you are all saying is reflected in the data we are collecting as well. This is something we see on a daily basis in our system.
On a different topic. It would be interesting to hear how do you balance security with business and productivity needs? It would be great to hear if you have any tips that you can share with us.
DB: The key thing there is that the, the, the productivity has got to be there. And if there’s, if your security compromise, you have zero productivity, you’ve got to put these marriages in place to protect them, protect the productivity. Absolutely.
NM: I think firstly, the biggest, the challenge I’ve got as I’m sure we all have is users will take the shortest way to get to where they want to get to. I think as Michael mentioned, the previous comments it’s user education. So it’s not just that IT is putting these tools to make your life awkward. We’re actually doing it to make your life easier. So as well as understanding how to use them and understanding why we’re doing certain things. Especially, if it’s not something nice and shiny they can instantly see. Most of our security work is hidden in the back end.
One of the things I loved about BitDam was the ease of deployment. I didn’t have to teach my users how to use a new security email system. It sits on my mail system, but it’s explained to them.
We’re not just doing this because it’s a new, shiny new tool that we want to play, we’re doing it for raising to protect the business to ultimately make your life easier.
LB: Let’s move on to our last question for this session. It’s known to us like everyone is talking about remote work becoming the new normal, even after the coronavirus will be gone. It would be great to hear what will be the influence of this period on organizations cyber security, in your opinion.
MS: It is the new normal, I don’t think I’m going back to the way, even for government, who generally slow adopters of anything new and shiny. It’s definitely a trend that’s not going to stop, which is going to complicate our security posture. It’s definitely going to put more reliance on letting go of certain aspects of our operation, not being able to be fully in control.
Azure was a big leap for us to give up our email servers locally and move all that the cloud OneDrive was even a bigger leap MS Teams. That being said, that’s what really makes us very proud customers of BitDam is that it is an evolving platform. As our ecosystem evolves and changes the BitDam system evolves and changes with our organization and kind of interweaves with the technology solutions we are going with. As the world moves towards going more mobile and remote, we have to be flexible to provide the services to all of our customers in any condition and be able to gain access to all the tools and resources, just like if they were in the physical building itself. So it will be very challenging, but with great partners, we know that we will be able to, to meet that challenge head on.
DB: We’re going to be taking security in a different light. I think security and home working, having more mobile users and people being outside that corporate firewall learning the different ways of securing access is going to be key. I’m currently trialing physical keys for laptops as well, and for cloud access. I’ve always been one to focus on identity. I think all security things should be identity. The more you consolidate that identity piece and protect them as a fortress with MFA, with physical keys, these are the things that we’ll need to be looking at more and more.
NM: I think it’s the new normal it gets for the IT department, it’s a double edged sword. It’s been a real opportunity for us to showcase what we can bring to the organization. As both Michael and David have said, it adds an extra layer of complication. I think my industry proves we can do things more digitally. One of the surprises for me was the number of vehicles we sold completely online in lockdown. From start to finish and we’ve got to protect those customers. One of the reasons why I liked the BitDam platform is that not only helps protect my users and my organization, I know it’s helping me protect our customers as well, which helps them protect our brand and our brand image. But it is constantly treading the catwalk between ease of use and accessibility, keeping it secure and keeping all the business data secure.
LB: It sounds like there are also some good surprises in this period of time. Thank you guys very much for joining us to discuss for this session today. It was super helpful and then I wish all of us, uh, you know, a better, healthy period of time!
BitDam has just announced the launch of its advanced online URL scanner that detects phishing and malicious links. With phishing attacks constantly increasing in both sophistication and frequency – and with COVID-19 accelerating these attacks – this innovative tool could not come at a better time.
The tool demonstrates BitDam’s advanced phishing detection capabilities and provides the cybersecurity community with the ability to scan suspicious links even when they’re still very new – and when reputation and threat-intelligence solutions still cannot identify them.
The phishing detection tool is built for SOC and threat hunting professionals, security analysts, and MSSPs who want to be at the forefront of phishing detection technologies.
Why Phishing Protection Is So Important Now
Phishing is the No.1 cybersecurity threat facing organizations today. A combination of factors have made this problem more urgent than ever:
Phishing is now more sophisticated
Due to the increase in the severity and consequences of phishing attacks, employees are more aware of the dangers that phishing emails pose. Attackers, therefore, have become more sophisticated, employing machine learning and automation to rapidly create and distribute convincing phishing messages.
Attackers have developed new techniques
With attackers constantly developing new techniques – including using automation to bypass existing security tools – traditional security solutions, including reputation-based products, just can’t keep up.
Attacks are targeted – and missed by traditional solutions
More attackers are ditching the “spray-and-pray” type of phishing attack for more targeted phishing campaigns. These are aimed at individuals within an organization and can be hyper-personalized, ensuring they’re not identified by reputation-based detection solutions including many O365 phishing security and Gmail phishing security solutions.
Phishing attacks are on the increase
Phishing attacks have increased because they’re relatively cheap and simple to set up. With little effort or fear of consequence on the attacker’s side, they can easily access sensitive data like company login credentials. With COVID-19 increasing the number of people working remotely, as well as stress levels, attackers have been taking advantage of this situation.
Liron Barak, CEO of BitDam observes, “We are seeing a real increase in phishing campaigns in the past year. In fact, phishing has become the top cybersecurity threat, more than ransomware or any other malware. That’s because phishing attacks are much simpler to execute, and recently are more difficult to identify.”
The launch of BitDam’s phishing detection scanner could not come at a better time. Barak notes, “In addition to including our unique phishing detection capabilities in BitDam’s Advanced Threat Protection solution, we are now launching this online scanner for use by cybersecurity professionals.”
A Unique Phishing Detection Tool
Most other phishing protection solutions are based on reputation and threat intelligence. This approach is inadequate in the face of automated attacks and previously unseen first-time threats.
BitDam is independent of previous knowledge and data. It uses multiple sophisticated computer vision and AI algorithms to assess: is this a phishing link?
It can, therefore, detect phishing threats at first encounter, unlike reputation and threat intelligence-based products that have to wait to collect enough data before classifying something as phishing
BitDam offers phishing detection and prevention as part of its comprehensive Advanced Threat Protection solution for business collaboration platforms which includes protection for email, cloud drives, and Instant Messaging – covering threats of any type hidden in files and links.
BitDam Launches Its DIY Guide To Assess Email Vulnerability
Understanding your vulnerabilities when it comes to email security is critical in order to ensure that you’re protected against ransomware, phishing, and other email-borne threats. These threats are getting more sophisticated, and many are able to evade mainstream email security products. Studies show that 20-40% of the emerging threats bypass the leading email security solutions.
Testing your email security may sound like a long and complicated task that involves engagement with pentesting professionals and deployment of attack simulation tools. But it doesn’t have to be this way. BitDam now presents its DIY Guide: How to Assess Your Email Vulnerability for Free in 20 Minutes which allows anyone to test their email security and get an accurate view of what threats their current security tools block and what they miss.
This guide showcases free tools only – each focused on a slightly different goal – and uses a step-by-step approach, guiding you in how to assess your email security posture. You can also watch the video to learn how to implement these free tools.
Why It’s Needed
Some responsible for email security might think that with their “mainstream” email security solution in place, they’re protected. Unfortunately, the facts show that this is a dangerously incorrect assumption. Specifically, when it comes to threats encountered for the first time – “Unknown Threats at First Encounter” – these solutions struggle to keep up.
For example, Proofpoint’s “TAP” advanced email protection misses about 23% of new attacks emerging every day, Microsoft Office 365 Advanced Threat Protection (ATP) misses 25% of new attacks including recent phishing campaigns, and G Suite Enterprise misses almost 36% of threats. In fact, 45% of emerging threats bypass at least one of the leading email security products.
So how does your organization’s email security fare when it comes to these threats?
Free Tools To Assess Email Vulnerability
BitDam offers three free tools for evaluating your email security: Lucky Meter, Breach & Attack Simulation (BAS), and BitDam’s Malware Feed.
Lucky Meter is a highly accurate way to assess email vulnerability, using continuous, real-world attacks in real-time to give an accurate, up-to-date, and detailed picture of your risk level.
Breach and Attack Simulation (BAS)
BitDam BAS offers a quick one-time assessment of your email security posture. It makes use of simulated attacks, that are based on real-world attacks the BitDam team has observed in the wild.
Mainly used for deeper investigation, the Malware Feed includes live information on real-world malware attacks.
Each of these tools is incredibly easy and quick to get started with and is offered by BitDam completely free.
More About The Guide
The DIY Guide presents each solution in more detail, highlighting each one’s typical use case and main advantages. Each tool has its introductory section explaining what it’s ideal for, its quick steps for getting started for those more proficient with these types of tools, and more in-depth step-by-step instructions including images and screenshots.
By following the Guide, you’ll be able to select any or all of the free services offered, use them to assess any vulnerabilities within your email security posture, and generate detailed, valuable reports that can help you make the right decisions for the security of your organization. And the best part about it – you’ll have to invest only about 20 minutes.
Your Guide to Continued Email Security
Using these free tools provided by BitDam, any organization can simply, quickly and easily check the current state of their email security posture – the first step in upgrading your email security to meet the latest threats.
The research notes that “As cloud office suite adoption becomes nearly universal, security and risk management leaders must explore ways to protect sensitive information from risks and threats”. We fully agree of course, and in our opinion this is made all the more urgent by factors such as an increasingly decentralized workforce and the work-from-home (WFH) consequences of COVID-19.
BitDam: Protection Across Multiple Platforms
In the report’s recommendations, it’s noted that “security and risk management leaders overseeing applications and data security related to cloud office security should: evaluate a threat-protection tool that can work across multiple enterprise collaboration platforms”. At BitDam, this is part of our DNA as we protect against malicious files and links delivered in any collaboration platform including enterprise email, cloud drives, and instant messaging.
Today’s Threats and BitDam’s Answer
Two of the biggest threats facing organizations today are email-borne threats, and threats relating to collaboration platforms such as Google Drive, Microsoft OneDrive, or Instant Messaging platforms.
Many popular email security products can’t detect 20-40% of unknown threats at first encounter (which can lead to successful phishing, ransomware, and data breach attacks). Add to this the fact that there has been a constant increase in the use of collaboration platforms – which has accelerated in 2020 – and the need for the protection that BitDam provies becomes apparent. BitDam effectively protects these platforms against threats, including securing IM, Zoom and Microsoft Teams.
What’s So Cool About BitDam?
Here are what we believe to be some of the factors that make BitDam so special:
Protecting multiple collaboration tools
The list of collaboration tools used to share content and work together is constantly growing. Files, links, attachments, messaging, video, cloud drives – all of these have become critical in the modern workplace. Unfortunately, these tools also provide attackers with multiple points of entry when it comes to cyberthreats.
BitDam therefore secures multiple collaboration tools – including email, cloud drives, instant messaging tools and video communication platforms – thus keeping the modern organization safe across all fronts. It uses the same security approach across all these channels and provides security personnel with unified view.
Unique attack agnostic detection approach
BitDam’s unique approach means immediate detection of advanced threats, regardless of attack techniques. BitDam learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader. Based on this whitelist, it scans files and links before they reach the end-user, and determines whether they are malicious or not, regardless of the specific malware they may contain.
Detecting both known and unknown emerging attacks, BitDam guarantees the highest detection rates in the industry. It does not require feeds, reputation or intelligence services in order to detect never-seen-before attacks.
We leverage our IP to offer free SOC tools
BitDam offers free SOC tools such as its Breach & Attack Simulation (BAS) for email, BitDam Lucky Meter and its Malware Feed:
BitDam’s free BAS enables users to analyze their email protection and uncover any email security flaws. BitDam’s BAS automatically simulates cyber attacks and tests the user’s cyber defenses, providing insights into email security.
BitDam’s Lucky Meter allows users to check how exposed their mailbox is to unknown cyber threats that are emerging every day in real-time. Lucky Meter measures the Miss Rate at first encounter and Time To Detect (TTD) by the current security solutions in a user’s live environment, and provides a continuous assessment of the effectiveness current email security.
Our Malware feed provides access to the most recent cyber attacks from the wild, allowing users to further investigate these atatcks.
There’s a lot that BitDam offers that we believe are factors that led to BitDam being named a Cool Vendor by Gartner. For us, being recognized as a Cool Vendor highlights the critical role BitDam plays in keeping organizations and their users protected, no matter where they (virtually) are.
If you’re interested in learning more about what BitDam does and how we can help your business, schedule a demo with a BitDam expert or get in touch.
Gartner “Cool Vendors in Cloud Office Security,” Brian Reed, Ravisha Chugh, 1 May 2020
The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
In the last couple of weeks, we noticed a significant increase in the number of threats bypassing O365 ATP. We observed the same trend across multiple customers and industries, all in the US. Interestingly, most of these attacks were phishing campaigns, impersonating Microsoft.
Detecting cyberthreats that bypassed O365, along with other advanced email security solutions such as Proofpoint TAP and G Suite Enterprise, is not new to us. As BitDam’s Advanced Threat Detection is located as a last line of defense, it detects all those threats that were missed by the first line email security in place. If you’d like to learn more, you can always check out the most recent cyberattacks in the wild and which security solutions they missed in this live dashboard.
With that said, in the past two weeks, we noticed something different. Between May 13th to May 27th we have seen a drastic increase in the number of cyberattacks that were missed specifically by O365 ATP across most of our customers in the US. This includes malicious files and phishing links delivered by email. Here is some interesting statistics:
67% of the malicious emails misses by O365 ATP were phishing emails, the other 33% contained malware
90% of the phishing emails tried capturing credentials for Microsoft’s products, many of them by using notifications such as ‘a document is waiting for you’, or ‘a voicemail is waiting for you’.
98% of the malicious files were excel files, with many of them using macros
89% of the malicious excel files included ‘invoice’, ‘receipt’ in their filename
Since we have expanded our offering from malware detection only to providing also phishing protection, our researchers see constant growth in the number of phishing attacks. In the past few weeks, this trend was accelerated, and they have observed a significant spike in this type of attack. While it’s a known fact that phishing is the leading threat exploiting COVID-19, we were surprised to see the portion of phishing attacks that bypass O365 ATP, one of the leading email security solutions in the market. In one case, protecting a customer that uses O365 ATP, BitDam detected 29 malicious files in one day (!) targeting mainly the organization’s executives.
To get a real and continuous picture of how protected your email is against TODAY’s threats – which attacks are missed by your current email security and what types of attacks are putting your organization at risk – sign up for BitDam’s next generation Breach & Attack Simulation here. Spoiler: you’re going to be surprised…
Daniel Baird, Graham’s Family Dairy on BitDam Email and OneDrive Security
Daniel Baird, Head of Information Technology, Graham’s Family Dairy
We’ve interviewed Daniel Baird, Graham’s Family Dairy Head of Information Technology about his experience with BitDam’s Advanced Threat Protection (ATP). Graham’s Family Dairy is a household food and beverage name within Scotland; at the forefront of everyone’s breakfast table.
Here is the result in video and text:
Q: Daniel, what was your email security solution prior to using BitDam? Why did you decide to add another solution like BitDam’s?
A: Our security solution prior to using BitDam was Microsoft O365 ATP (Advanced Threat Protection). We were happy with O365 ATP, and still are, but understood that this is just part of the entire solution. While O365 ATP is great as the basic layer of email security, it protected us only from known threats. We were getting huge amounts of threats through Microsoft’s ATP product and these needed to be mitigated against. We’ve added BitDam on top of this as an extra tier of protection to make sure we’re protected against both known and unknown threats. The issue about these unknown threats is that they keep coming and they are not as rare as you’d think.
Q: Why did you decide to try BitDam?
A: I really liked BitDam’s fresh approach to security. While all other vendors are focused on data-driven technologies (that depend on heuristic definitions) and work well protecting threats that were seen in the wild in the past, BitDam uses a very different, model-driven approach, that detects unknown threats from the very first moment they’re out there. Furthermore, they protect OneDrive in addition to O365 email, which means that our end-users are protected on every front.
Q: What have the results been so far? What does BitDam enable?
A: BitDam has successfully identified several threats that have made it through the Microsoft security piece, and has given us advanced warning. Users don’t even notice it which is another advantage.
Q: Can you share some insight about the setup process and trial?
A: It took literally 10 minutes, probably five minutes, and it was very, very seamless. We actually started the trail when I was in the coffee shop at a conference talking to their rep. It was super-easy. Within a few weeks, we were able to realize the ROI of this solution and decided to go for it. Once you see with your own eyes the significant amount of attacks that bypass your current security and being caught by it, you don’t hesitate anymore.
Q: How would you describe, in a sentence or two, what BitDam does?
A: BitDam provides an extra tier of protection to our Office 365 email and our One Drive files. This gives us advanced intelligence against the unknown threats.
BitDam’s mission is to secure enterprise communications across all collaboration tools. We protect organizations from advanced threats hidden in files and links regardless of the threat type and delivery method.