Risky Biz Soap Box: Why Black Box Email Security is Dead
Risky Business Podcast Episode Summary
Release Date: November 11, 2024

Introduction and Background
In this episode of Risky Business, host Patrick Gray engages in a deep dive conversation with Josh Kamdu, the co-founder of Sublime Security—a cutting-edge email security platform. The discussion centers around the evolution of email security, highlighting the shortcomings of traditional black box models and exploring the innovative, programmable approach that Sublime Security brings to the table.

The Limitations of Black Box Email Security
Josh Kamdu opens the dialogue by reflecting on his extensive experience in both offensive and defensive security roles, particularly focusing on email-based attacks. He explains the inherent issues with black box email security solutions:

"We quickly realized that the black box nature of the solution space was kind of the fundamental problem because it was too slow to adapt, it wasn't tailored enough for each individual organization."
[04:17]

Kamdu emphasizes that black box systems often fail to account for the unique behaviors of different organizations, resulting in persistent false positives and negatives. This rigidity leads to prolonged periods before misclassifications are addressed, causing significant operational pain for security teams.

The Evolution of Sublime Security
Responding to these challenges, Sublime Security was conceived as a solution that transcends the limitations of opaque detection engines. Kamdu describes the platform's transformative approach:

"The programmable nature of our detection engine... enables you to solve these pain points that we couldn't before."
[07:20]

Initially launching as a black box, Sublime Security swiftly shifted to a more flexible model, allowing customization and real-time adjustments. This adaptability ensures that security measures are both effective and tailored to the specific needs of each client.

Attack Techniques in Email Security
Delving into the tactics used by adversaries, Kamdu outlines the sophisticated methods employed to bypass traditional email security measures:

"Living off the land, link-based malware delivery... abusing high reputation domains and high reputation free file sharing services."
[10:12]

He details techniques such as embedding URLs in PDFs, HTML smuggling, and leveraging trusted platforms like GitHub and Dropbox to deliver malicious payloads. These strategies are designed to blend seamlessly into normal traffic, making detection exceedingly challenging for conventional systems.

Modern Threat Landscape and AI-Driven Attacks
Kamdu highlights the dynamic nature of the threat landscape, noting a significant shift toward AI-driven, large-scale spear phishing attacks:

"Adversaries are leveraging generative AI to do this sophisticated recon and targeting, but at massive scale."
[15:16]

This evolution demands that email security solutions evolve in tandem, requiring rapid adaptation and the ability to handle complex, AI-enhanced threats that traditional models struggle to address promptly.

Detection Capabilities and Case Studies
Sublime Security's advanced detection mechanisms are showcased through various case studies and real-world applications. Kamdu discusses their work with major political campaigns and the identification of prompt injection attacks targeting LLMs within email systems:

"We saw a prompt injection attack in a phishing email... It was a bypass attempt to."
[21:11]

These examples illustrate the platform's capability to detect nuanced and emerging threats that other solutions might overlook, underscoring the importance of a programmable and adaptable security framework.

Programmable Engines and the Future of Detection Systems
A pivotal part of the conversation revolves around the future trajectory of detection systems. Kamdu advocates for programmable engines that allow for real-time customization and granular control:

"I see this being the Future of real time detection engines because more and more you see the need to be nimble and to rapidly adapt."
[19:05]

This paradigm shift moves away from static, one-size-fits-all models towards dynamic systems that can swiftly respond to evolving threats, enhancing both security and operational efficiency.

API vs. MTA-Based Deployments
The discussion transitions to the technical aspects of deploying Sublime Security's solutions, comparing API-based and Mail Transfer Agent (MTA)-based approaches. Kamdu explains the benefits and limitations of each:

"If you're purely API based, it's post delivery... there is a window."
[32:11]

He elaborates on how combining both methods can overcome inherent limitations, such as processing time constraints and message modification capabilities, to provide comprehensive protection without disrupting business communications.

Conclusion
In wrapping up, the conversation reinforces the critical need for adaptable, programmable email security solutions in today's complex threat landscape. Sublime Security's innovative approach addresses the persistent shortcomings of black box models, offering a more efficient, customizable, and resilient defense mechanism against sophisticated email-based attacks.

"It's all about efficiency 100%. Right. And security teams are already so overtaxed and under resourced and so you can't create more work for them."
[30:38]

This episode underscores the imperative for continuous evolution in email security strategies, advocating for systems that empower security teams to effectively manage and mitigate risks in an ever-changing digital environment.

Notable Quotes

• "The black box nature of the solution space was kind of the fundamental problem because it was too slow to adapt, it wasn't tailored enough for each individual organization."
  — Josh Kamdu, 04:17

• "The programmable nature of our detection engine... enables you to solve these pain points that we couldn't before."
  — Josh Kamdu, 07:20

• "Adversaries are leveraging generative AI to do this sophisticated recon and targeting, but at massive scale."
  — Josh Kamdu, 15:16

• "I see this being the Future of real time detection engines because more and more you see the need to be nimble and to rapidly adapt."
  — Josh Kamdu, 19:05

• "It's all about efficiency 100%. Right. And security teams are already so overtaxed and under resourced and so you can't create more work for them."
  — Patrick Gray, 30:38

This comprehensive summary encapsulates the essence of the episode, providing listeners with an insightful overview of the critical discussions surrounding the obsolescence of black box email security and the emergence of programmable, adaptive solutions in the cybersecurity landscape.