Risky Bulletin Podcast Summary Episode: Sponsored: Sublime Security on the Spam/Email Bomb Problem
Host: Katalin Campano
Guest: Bobby Filer, Head of Machine Learning at Sublime Security
Release Date: May 25, 2025

Introduction

In this episode of Risky Bulletin, host Katalin Campano engages in an insightful discussion with Bobby Filer, the Head of Machine Learning at Sublime Security. The conversation delves into the evolving challenges of email security, specifically focusing on the emerging threat of email spam bombs and how Sublime Security is pioneering innovative solutions to combat these issues.

Understanding Sublime Security’s Approach to Email Security

Bobby Filer begins by outlining Sublime Security’s unique approach to email security. Unlike traditional solutions that operate on email gateways or network wires, Sublime Security integrates directly within the user's inbox. This positioning allows for more granular control and real-time interaction with incoming emails.

Key Points:

• In-Inbox Detection: Sublime’s scripting and detection engine resides within the inbox, enabling immediate threat analysis.
• Granular Control: Offers deeper security by interacting directly with each email, using pre-built detection rules.

Notable Quote:

"Emails come in, Sublime scans them and then warns customers of various threats based on some pre-built detection rules."
— Bobby Filer [00:15]

The Email Spam Bomb Problem

The discussion transitions to the core topic: email spam bombs. Katalin Campano explains the concept, highlighting two primary types:

1. Subscription Bombs: Where a user is inundated with unsolicited newsletters and spam, making it difficult to unsubscribe.
2. Social Engineering Bombs: Targeting specific employees to facilitate attacks, such as ransomware infiltration.

Key Points:

• Subscription Bombs: Overwhelming inboxes with benign yet unwanted emails.
• Social Engineering Bombs: Leveraging the flood of emails to manipulate targets into compromising security.

Notable Quote:

"Email spam bomb, since I kind of was on the end of two of these in the past, is when you have a threat actor who uses some sort of script and subscribes your email to a bunch of newsletters..."
— Katalin Campano [00:55]

Sublime Security’s New Detection Feature

Bobby Filer introduces Sublime Security’s latest feature designed to detect and mitigate email bombs. This feature leverages machine learning to identify abnormal spikes in email volume tailored to individual user behavior.

Key Points:

• Individual Baseline Modeling: Analyzes 30 days of email activity to establish what is normal for each user.
• Statistical Anomaly Detection: Utilizes probabilistic methods to assess the likelihood of email spikes being malicious.
• Automated Remediation: Automatically moves suspicious emails aside for further analysis and alerts security teams.

Notable Quote:

"We decided to flip that problem on its head and really tackle it at the individual level and build individual models kind of on the fly."
— Bobby Filer [02:56]

The Role of AI and Machine Learning

Katalin probes into the AI components of the new feature, questioning why Sublime chose an AI-driven approach over traditional methods like Chrome extensions that simply move emails to spam.

Key Points:

• Topic-Based Analysis: Differentiates between legitimate and spam emails based on content relevance.
• Behavioral Modeling: Examines sender patterns and communication behaviors to discern normal from anomalous activity.
• Adaptive Learning: Continuously learns and adjusts thresholds based on user-specific email patterns.

Notable Quote:

"There’s kind of the language modeling piece which we touched on topic modeling, detecting threats or urgency, things like that. But then there’s the behavioral machine learning piece."
— Bobby Filer [08:42]

Customer Use Cases and Beta Testing

The feature is currently in beta, with feedback from select customers highlighting its effectiveness in varied scenarios, including high-volume spam attacks and sophisticated social engineering attempts.

Key Points:

• Diverse Threat Handling: Capable of managing both traditional spam and targeted social engineering attacks.
• Custom Automations: Allows organizations to create custom responses based on detected threats.
• Real-World Applications: Successfully detected large-scale spam attacks against major news organizations.

Notable Quote:

"We have a customer that's one of the biggest news organizations in the world... they use the Sublime control narrative to build their own sort of automations."
— Bobby Filer [10:18]

Adjustable Detection Thresholds

A significant aspect of the feature is its customizable thresholds, enabling organizations to balance between aggressive detection and minimizing false positives based on their specific needs.

Key Points:

• User Configurability: Organizations can set how sensitive the detection should be.
• Probabilistic Thresholds: Utilizes confidence levels (high, medium, low) rather than fixed numerical values.
• Adaptive UX: Plans to incorporate user-friendly workflows to allow easy adjustment of detection aggression.

Notable Quote:

"We look back around 30 days to try to build this sort of baseline model... it's not necessarily an integer. It’s not two times the standard deviation... something like that."
— Bobby Filer [14:19]

Future Innovations: Autonomous Security Analyst (ASA)

Beyond email bomb detection, Bobby Filer discusses Sublime Security’s venture into leveraging Large Language Models (LLMs) to enhance security operations through their Autonomous Security Analyst (ASA).

Key Points:

• Abuse Mailbox Management: Automates the triage and analysis of reported phishing emails, reducing the burden on security teams.
• Consistency and Efficiency: Provides unbiased, consistent analysis and response based on predefined guidelines.
• Agentic AI: ASA can execute automated responses or generate detailed reports for further investigation.

Notable Quote:

"ASA, which is our first kind of entry point into agentic AI... it reviews messages, it produces reports... moving security analysts off of abuse mailbox duty into things that are maybe a little bit more important or critical."
— Bobby Filer [19:00]

Impact on Security Operations

The introduction of ASA has had a transformative effect on security teams, enabling them to focus on more complex threats while automating routine tasks.

Key Points:

• Operational Efficiency: Frees up security personnel for deeper investigations.
• Training and Development: Assists in upskilling junior analysts by working alongside them.
• Scalability: Handles increasing volumes of abuse reports without additional human resources.

Notable Quote:

"They’re using ASA to uplevel their junior analysts... It's really fascinating how folks can get a tool and then start to uncover like new or unique use cases that fit their need."
— Bobby Filer [21:51]

Conclusion

The episode concludes with enthusiastic remarks from both Katalin Campano and Bobby Filer, highlighting the innovative strides Sublime Security is making in email security and the broader landscape of cybersecurity operations. Sublime’s proactive approach, driven by advanced machine learning and AI, positions it as a formidable player in mitigating modern email-based threats.

Final Quote:

"It's a really interesting mathematical problem... we're excited to see it in use already with some of these customers."
— Bobby Filer [17:53]

Takeaway:
Sublime Security is at the forefront of addressing the nuanced and escalating threat of email spam bombs through sophisticated machine learning models and AI-driven solutions. Their latest feature not only detects and mitigates these threats in real-time but also empowers security teams to operate more efficiently and effectively. Additionally, innovations like the Autonomous Security Analyst signify a future where AI and human expertise synergize to enhance organizational security postures.