Welcome to Hash It Out, a podcast built by data security experts. We decipher the data security landscape through honest conversations about today's headlines and tomorrow's challenges, brought to you by Virtru. Let's dive in.
In this episode of Hash It Out, we chat with Dan Nickolaisen, solutions architect manager at Abnormal AI, and Ryan Ogden, senior director of information security at SpotOn, to gain insight on how innovative organizations are combining Virtru and Abnormal AI products to move beyond legacy email, creating a powerful data protection that supports modern and efficient collaboration.
Alrighty. Let's do this. So, for those of you watching, welcome to another edition of Virtru's Hash It Out series.
My name is Trevor Foskett. If you've tuned in to these series before, you may have may have seen or or heard me. So happy to be back here doing another one of these. I lead the presale solutions engineering team, here at Virtru. I'm joined by, not one but two special guests today, who will go ahead and have introduce themselves, now. So, Dan, why don't you go ahead and let the viewers know who we are and what you do?
Yeah. Sure. Hi, everybody. My name is Dan Nickolaisen.
I'm a solutions architect at Abnormal Security recently. I moved into a management role. But, fundamentally, what my day to day opportunities are have been for the last several years that I've been here has been helping organizations migrate away from third party secure email gateways to leverage the native email gateway built into Microsoft or Google and then obviously complimented or supplemented by abnormal. So, anyway, good about me, and, yeah, I'll kick it over to Ryan.
Yeah. Thanks, Dan. I'm Ryan Ogden. I've been at the information security function and team here at SpotOn. And, you know, for for those of you unaware, SpotOn is a a restaurant the Toast, taking on the technology needs for for restaurants in the food and food beverage industry. And my day to day is overseeing the enterprise security functions for the business and, the security of our products that, we sell and make available to our merchants and customers.
Fantastic. Thanks, guys.
So interesting set of, characters here today. We have, you know, Dan is from another, security vendor, at abnormal who kind of we think of as being a a compliment to what we do here at Virtru. We're we're interested in securing your data as you share it outbound. Abnormal really concerned about, protecting your you from threats that are coming from outside and and moving in. So Ryan is in a unique position, being a customer, of of both of ours. So, Ryan, thanks, thanks times too for joining us today. And I guess the big question that probably a lot of people are asking is, and and the title of our session today being beyond the seg, beyond the secure email gateway.
Inbound and outbound, why why two solutions? Why are you customers at both of ours? Why didn't you just go get something that does it all?
Great question.
Well, you know, for some reason, we're we're forty or fifty years into the world of email, and it's still a big deal. So, yeah, which is kinda crazy in a lot of ways. But, for for us, you know, the the landscape of email security has been I mean, it's evolved. It's changed. It's it's done all sorts of crazy stuff over the last, you know, thirty, forty plus years. And for us and me specifically, what what I needed was something that was pretty hands off, but had a high degree of efficacy and was able to adapt to the landscape.
I think the, the rate of change, the the security landscape is just getting it's increasing every every single year. So for us, keeping inbound against our business, we are we also are a payments company to some degree. So for us, it's really important to have that that projection layer there. And then for the outbound side, you know, we're we we provide and build and support technology for restaurants in the food beverage industry, and so we do a lot of communications with our our merchants who are our customers.
So I think restaurant owners, bar managers, people that own coffee shops, and, you know, really large restaurant chains, and they they have very unique needs that are specific to their business. So it was really important for us to have a nice, seamless, trusted way for us to exchange some of that information, and make sure that they were able to adapt to it, we could adapt to it, and not have to go through a thousand hurdles just to try to to learn a new technology. So for us, it made a lot of sense to to kinda handle it in both sensors with, with a nice secure inbound product and then something that allows us to do those secure comps with with our customers.
Fantastic.
Dan, I saw you come off mute there. I'm gonna I'm gonna jump ahead of you, but I actually ask you a question. Ryan talked a lot about, you know, this evolving threat landscape, and I was hoping maybe as as the expert in the space on inbound threats, you could tell us a little bit about the the state of play today. What what what are the threats, and and how are they advancing, and how do you guys tackle that?
No. Yeah. Great question. I was actually coming up mute to to maybe ask Brian about a couple of specific use cases he's seen, but from a prompt perspective and kinda going from there.
Just to that point, I'll I'll say that a little bit more on my background. I've been doing email security for about the last ten years. And even just in that last ten years, so many things have shifted. Back when I first joined at a at a third party email gateway company a number of years ago, a lot of the threats were really simple, like link based threats, like click here.
I'm immediately brought to a phishing page or there might be a malware download at the other end of that click. When it comes to link based, you know, threats, what what a lot of what I see nowadays is you're gonna have messages where the initial URL will point to an entirely legitimate service. That could be like a Canva, an Adobe, a SharePoint, a OneDrive, or some legitimate website that has been kinda compromised or is being abused. And then it requires oftentimes multiple points of human interaction to, like, click on another link, solve a caption, maybe perform some character entry before they can eventually get my credential stolen or some of the other trends that we see is rather than stealing credentials in the traditional sense, we have, you know, link based threats that are trying to install OLAP applications into, like, a user's Office three sixty five or Google account.
And so what we've seen is that the level of obfuscation, the level of point the number of points of, like, human interaction, human verification that are taking place have have kind of, you know, grown exponentially over the past, you know, ten years if you wanna think of it that way. And it's kinda gotten to a point where from my perspective with especially link based threats, I can't rely on strictly doing kind of payload analysis in that traditional sense of, like, put a link in a sandbox, click on it, see what would end up happening to the end user. And so that's what we see from, like, a link perspective.
The other big increase that we've seen is gonna be in that broader term of what you refer to as business email compromise. And so whether those are things like, simple name impersonations or if you're actually talking about third party compromise and that third party compromise being used to either send link based threats, for example, or attachment based threats or items that don't contain a payload, and they're just trying to seek some sort of financial gain, like misdirecting an upcoming invoice payment or things of that nature. Those are really the two broad themes that I've seen is, again, kind of more complicated loop based threats and then there's really, really heavy emphasis and push for business email compromise.
And especially in that world of business email compromise, things that don't necessarily have a payload, but are just trying to steal money from organizations. Those are the two kind of biggest trends I've seen over my career at least. But, anyway, not sure, Ryan, if there's anything to mention there. But just a couple of quick overviews on that.
Sure.
Yeah. No. I mean, you you covered it. Right? That has that is the landscape changing. It's changed from more of a reactive mindset to more of a very proactive evolution inside of that versus just, we already know this is bad, so therefore, we'll write the signature for it. And it's we're moved far beyond that in the email landscape today.
Ryan, it sounds like, you know, you you gave us a little bit of overview of what your your business model looks like, and it sounds like, you know, you're reaching out to restaurants, bars, cafes, suppliers, etcetera. And and so I imagine you're getting inbound emails from a lot of different sources every day, Gmail addresses, Yahoo addresses, I bet. Things that kind of have this kind of invoicing stuff that Dan talked about, but it's legitimate for you guys. And so is that part of, you know, your your, you know, risk management profile thinking about we need to be able to sort out what's what's real and what's stake in that respect? Because some of them are legit and some some aren't. And is that something that abnormal helps you with?
Yeah.
Absolutely. I mean, think about anybody that that's got, you know, Comcast or Gmail or whatever it is, right, for their for their email.
I mean, that that is their business email. That's not we we we're not a b to b kind of a company in that sense where we can rely on, you know, at, I don't know, abnormal or at CloudSlayer or Cisco or something. Right? We're relying on consumer grade email patterns to run some of our business with our merchants.
Right? So we can't we can't afford to get super stringent on internal corporate style mail security when that same practice, that same level of control needs to also address the the coffee shop owner in in a town in the middle of of Kansas or something. Right? So it's we if we block those, if we don't allow those to come in, if we miss exchanges around potential new customers or trying to maybe troubleshoot and respond to a support issue with a with a current merchant, it it doesn't just impact our business.
It really impacts our our merchants, and that's their livelihood. So we've got a really hard balance of saying, hey.
We gotta protect the CFO or the you know, somebody who's getting targeted off of a a LinkedIn campaign just as much as we gotta make sure that that email gets delivered from the the cafe owner, and and make sure that we're able to support their business along with ours and not not compromise one way or the other.
It's a it's a pretty hard balance, but it's something we've seen a lot of success with with abnormal.
And and if I can just make one one more comment on that topic and and maybe just pontificate for just a second. When I first came across Abnormal kind of in the wild, I was actually working at a value added reseller, and got brought in to do a forensics investigation on an accountant who had wired three hundred thousand dollars. We found out later to a threat actor. So they kinda contacted me slash us update thirty one and said, hey. We just found out that this payment stolen went. We wired three hundred thousand dollars to somebody, but it wasn't the vendor that we were trying to pay. And so, you know, as we start kicked off that forensics investigation, as we started looking into that, I was like, I don't think that this accountant did this, like, knowingly necessarily.
I said there's this interesting Tech company. I just heard from called abnormal security at the time abnormal ai and I was like if if their technology works as advertised They should be able to identify even though this has happened previous to our our engagement here They should be able to identify that, oh, yeah. There was a compromised external party that sent you this this these kind of updated bank account being the details to pay. And so, you know, right now, I was just gonna say, like, that balance of, like, those types of, messages that really have a payload.
And, like, in context, Like, if I just get a PDF with updated bank account details, aside from the context of that message, there's nothing malicious about it in that traditional sense. And I'll just say, like, that use case of blah blah blah, like, contextual based detection, especially things that don't have a payload in that traditional sense, is one of the primary reasons why I joined Appnormal four and a half years ago. And, you know, glad to hear that you've had success with us as well. That's always good for me to hear.
Three three hundred k. That's a little bit more severe than, you know, the classic. Hey. Can you go buy a few hundred bucks of Amazon gift cards? So there's real there's real consequences here, it sounds like.
Wanna shift for a second, Ryan. You know, we talked a lot about the inbound. You know, you guys have to communicate with folks all over the the the country, it sounds like.
What factor did that play into thinking about how you would share data with them on the flip side and and moving outbound? I imagine a lot of these folks don't have an encryption solution on their end. They don't have an IT team. So how did you kind of approach that when you went thinking about it?
Yeah. You you're you're right on all of that. I it's they don't. They they they have an iPhone and, you know, a laptop, and that's that's what they do.
Right? And so for us, it started with, you know, how does how does SpotOn work? What's our processes that are used, and who's really in scope for those situations where, you know, we have to securely exchange contract information, banking information, financial information, business IDs that are sensitive, you know, the things that contain things like Social Security numbers and tax IDs. You know, we've we've gotta make sure that we're doing that in a way that isn't just secure.
Secure is secure is you can do secure. That's not the challenge isn't doing a serious the challenge is actually doing it across a landscape that is is frictionless as you can possibly do. And so we've got, you know, the teams inside the business that have to exchange this kind of information. How do they work?
We started with that. What are your problems? What's maybe what are some of the use cases where you've encountered some really upset customers because we are trying to do the right thing. They don't like how we're trying to do it.
I don't know. So there's a learning experience that needs to go through first. Right? That's part of the journey is we can solve anything.
There's no shortage of of companies that do things these days, but what we have to do is find the right one that fits the right way we as our business pivots. Right? So we started with that, and then we started to understand the landscape of what's going on and then where we could go apply the concept of security inside of that information. And, like, to much my earlier point, it's still done via email.
Like, that is still the medium of communicating in the world today through some sort of, proposed business engagement or interaction or scheduling or something. It's it's still done through email on such a volume.
So for us, it was finding something that was frictionless, something that could be very easily approached, and most importantly, approached by someone who's not technical, that's not they don't they don't wanna know how the bits work. They just want it to work.
So that's what kind of landed us in the in the world of Virtru. It was, say, hey. We got the send out thing covered. What we don't have is a nice seamless way for someone, whether they're on a laptop, whether they're on a phone.
They just gotta send a contract, Or maybe they need to respond to an email that has that contract in it, and we want them to do it through a much more secure and traceable manner. And that's where we landed on Virtru because it helped us achieve all of that, and we didn't have to spend hours and hours writing docs or, I guess, having AI write the doc, I guess, of how does this work. We don't wanna spend time on how things work. We're trying to get stuff actually done.
And it it met all those marks, and, we've had a really, really good relationship so far with the platform and our customers. We haven't really had any complaints that that that I'm aware of. I'm gonna I'm gonna add the asterisk on that that I'm aware of, but nothing's nothing's boiled over. It's my team runs it.
We we manage it. We engage with it, and we have we've heard, minimal to no issues at all for from our customers or our internal employees.
I also love love to hear it.
I I wanna get both of your guys' perspectives on this. We're we're the the session today is called beyond the seg, and I think both of you guys are yourselves beyond the seg. Right? Dan, you have experience working at a at a seg vendor. And and, Ryan, I think you guys have used secure email gateways in the past. So maybe Dan first, you know, tell me a little bit about why something like abnormal was was more attractive to you than, you know, the the the traditional way of of doing things. And then and Ryan would love to hear from you as well on, you know, was there a compelling event that made you say, look, we gotta we gotta think about this differently.
Yeah. No. No. Thank you for that. And I'll I'll just say from my perspective, one one of the things that that I'll say is, like, every organization on the planet has some sort of secure email gateway that might be platform made into, like, Microsoft or Google Workspace, or it could be a third party like a Cisco, Mimecast, Proofpoint, Barracuda, those folks. Right?
And it's what what's been interesting for me to see and and eventually coming to abnormal, One of the big frustrations that I have when I was at a previous employer before I was at that bar and then before, you know, and then ultimately came here is, like, you kind of end up with this gap in detection that I I always have thirty as, like, the last one percent. And so it's, like, everybody's using an email gateway. But when you look at threat trends, it's like, yeah, ninety percent plus of breaches are starting with an email. We've lost over fifty billion dollars to business email compromise since twenty thirteen, just a month the FBI is tracking.
It's like, why is this happening? We all have email gateways. Right? And some have ever best of breed.
And and, you know, what, you know, what we start seeing is, like, yeah, this little one percent of stuff that initially sneaks through, it looks like a really small bit of data, like, kind of in a spreadsheet level. Right? But the impact of this stuff is crazy.
You know, this is where we're losing money. This is how breaches are starting. And so when I came across abnormal, that was kind of my first thought is, like, there's this class of messages, this last one percent, the most novel threat techniques that are happening even with more traditional payloads or those items that lack a payload. And it's like, I can't get my email gateway to necessarily detect this stuff consistently without creating a bunch of false positives and other operational work for me.
And so when we talk about abnormal coming in, it's like, yeah, that last one, two, three, four percent of unwanted and malicious messages that initially sneak through. Abnormal's whole point is to say, let's just give you an outcome. Let's detect and mitigate the risk of that last one percent. And to Ryan's point, we hope that that is very hands off and something that is very easy to do when you can just consume an outcome from us.
That's really what drew me to that normal is kind of addressing that last one percent because, again, relative to the threat landscape, we all have email gateways, but, you know, it's still the most accurate most successful threat of actors. So it's kind of the way that I look down from my perspective.
Yeah. And and on being on the customer side of that solution and some of the other solutions historically, Everything you said pretty much landed with with my experience and my history with responsibility over at mail security. And, you know, years ago, the the I you know, what was considered the IT team was the email team. Right? And, you know, that the newer companies that are that are a little bit more decentralized don't generally operate that way, and so security ends up being, you know, quote, unquote, the email team. And we're trying to not be the email team. However, we do have some skin on the game and like to understand what's going on with because the threat landscape is is so big and so deep.
So for me, it was it was a combination. It was I I'm finding the email security team, but I'm not gonna be the email team. I I don't personally like, spam is not a concern to me. Spam is that's that's that's other issues.
Right? So so, like, for me, it was block the bad. Don't worry about the newsletters and things like that that that aren't that aren't tied to to campaigns that are malicious. So I wanted something that was pretty hands off.
I wanted something where I wasn't constantly trying to, you know, dial in certain things or tweak or twist a knob or, you know, figure out the difference between this and that and then hope and pray and spend a lot of time on, you know, testing this thing out and stuff. I I don't wanna I don't want my teams to be spending time on that. I want the business to be secure. Secure.
I want my teams to let the the solution do the heavy lifting, and then we report on it. And then most importantly, the efficacy rate. Yeah. There has to be a high high degree of efficacy.
And as the threat landscape was evolving and, you know, years ago, I started seeing the same gaps. I started seeing certain certain patterns that were being channeled through email, were having a tough time being identified with with some of the more signature driven approaches, some of the more legacy style of mail security. And it it wasn't in my opinion, things weren't evolving as fastly as fast on the detection side as they were on the off end side.
And that I mean, that's not all that common.
They're usually playing catch up. However, this is a pretty important game to not play catch up all the time, so I wanted something that was at least staying at pace, you know, maybe a little ahead every now and then. And so light touch, high degree of efficacy. I'll report on it when I need to, but it just kinda does what it needs to do and allows my teams to really go focus on doing the the security work for the business while this thing is kinda operating and augmenting my team with a tech stack that constantly stays updated with some of the newer campaign patterns. And then I guess to add one more thing in that, some of the struggles that I had historically with some of the, you know, like you mentioned, like Google, Microsoft. Yeah. They are, to some degree, their own gateways.
It's always been a challenge to get visibility into the qualities, I guess, or the the the telemetry of a message as to why it may be categorized as something or whatever the thing is.
They, they they don't really offer that up. It's not super identifiable. And I think the first time I ever even saw the abnormal during a POC, you know, I was able to see all the markers inside the language, why the markers contributed to that being considered, I don't know, financial or wire or imposter or whatever it is. You know?
That allowed us to give confidence back to the business should there be an impact on delivery. If somebody was claiming, why was this constantly getting blocked or maybe the other side of that, right, we were able to speak to it. And, historically, that was just not a thing. We we kinda had a deer in the headlights.
Well, we're doing the best we can. We went off of this. So that was a real nice turning point for me to be able to speak to certain things and and give some confidence back to the business. And, you know, why are we spending money on this?
Why is it better than that or this? It's because I'll be able to tell you whether or not that was, in fact, not from PayPal or something like that.
So that all of those things combined really added up to to the decision making for me.
Yeah.
So to unpack that a little bit, it sounds like there is a couple of things you described on on one end of the spectrum here. That's a a ton of administration associated with some of these things dialing in your rules for both inbound, and I imagine rules for outbound too. You know, we're gonna protect the message if x y z is included in the subject line, and how do we eliminate false positives? But on the other hand, you also described this concept that I think we hear from both admins and end users alike, which is there's also this component of it that's a bit of a black box.
You know, whether it's inbound, I don't know why that message got flagged or outbound. It got, you know, encrypted or sent to the portal. Again, I'm not really sure why or didn't even know that it happened as an as an end user. Right.
So it sounds like you're getting a little bit more visibility now without that requirement to just be constantly dialing knobs, both putting a little bit more, control in the user's hands for the outbound side. You guys have you know, everybody loves the virtual button.
And then on the inbound side, you can actually point to, hey. Here's why the message is flagged, you know, and help people understand that. So totally makes sense.
I think we're coming up on time here. I know, Dan's got a jump, Ryan. I know you're busy as well. Any final notes that you guys wanna throw out there on this topic of, you know, beyond the SAG and maybe thinking about more modern ways to approach these both inbound and outbound, email security requirements?
Yeah. I mean, I think for me, it it starts with transparency and knowing what your business is doing and and how it works. And I think that's the that has always been a problem. It will always kind of be part of the challenge. Maybe not maybe I should say it's always been part of the challenge. Right? But I think it's gotten more challenging, especially if you get outside of the regulated industries.
You really need to know technology teams are need to know how the business is working, and long gone are some of those days where the business always funnel back through some central team of stuff. That that's not that common these days. So I think it's important to know what are the requirements of the business. You know, what's the business trying to achieve?
And I understand, you know, the landscape of cyber and risk around business continuity type of mindsets. Like, we're talking risk here. So is how much risk are you willing to absorb or not absorb around very common problematic channels like email? Are you willing to take a chance that, you know, things might sweep through, or do you wanna, like, really invest and dip your toes in the water of much more, I guess, less traditional approaches to security.
My experience has been really good. It's not guaranteed everybody's gonna do that, but I think you have to try. And my the other thing that I've really built some confidence around was a lot of the solutions are built to just snap right in. You know? They're not some of the more legacy things.
So you can snap it in, and if for whatever the reason is that particular thing doesn't work the way you want it to, it just needs you to unsnap it. So I think we have to get out of the mindset of we shouldn't be taking some risks. So I think calculated risks are part of this because otherwise, it the landscape is gonna continue to change. And if you don't try to stay up with it, there's gonna be a point where there's an event where it really shines a light that you're not staying in parity with that. And so I think I think it's good to it's okay to take some of these these calculated risk and and chances and talk to people in your your circle, your your CISO circles or whatever it is. See what they're doing.
Everybody kinda wants to know who's who's doing what and what they they should maybe be be looking at. So that that would be my advice.
Awesome.
Thanks for that, Ryan.
No.
And and, yeah, I'll I'll just see if The countdown said we might be over, but I think we're still good.
So go ahead, Dan.
No. No. Yeah. I'll I'll try to be brief. But I kinda mentioned, like, that that last one percent of, like, you know, bad stuff that initially slips through.
This is why email is still so prevalent. And one of the things that just from an abnormal perspective, and kind of my perspective as someone who who is deeply studied and continues to deeply study this industry in the print landscape is, like, we kind of exist in a world where more and more, there are so many different components of if we're talking just about email, like an email threat, so many of those are abusing, you know, legitimate services, legitimate email accounts, etcetera. But, realistically, the only way we can detect, you know, this last one percent of messages is based on contextual indicators to understand, you know, deeply understand email behavior, human behavior so that we can identify this last one percent of messages.
And, Ryan, to the point you made, it's like when we talk about things like definition, signature, threat intel, like, that's great. I'm gonna block ninety nine percent of everything that's unwanted and malicious. Those have been defined, those have been discovered, etcetera. When we talk about that last one percentage, the best way that you can detect that initially is through deep contextual understanding, and that's the approach that AppMobile tries to take to this space to say, let's understand the context in which this message was sent so that we can then properly analyze it, make a decision on it.
And it's it's going beyond those things that are known, those signatures, those definitions. And you mentioned one thing that kinda just stood out to me too is, like, the idea of, like, a black box. And I recall back to, like, some of my days at the bar and even some of the stuff that I see here, when I'm helping organizations migrate away from that third party gateway. Is, like, yeah.
I might have a message and it's like, oh, yeah. We caught this because the the we we had a spam score of, like, ninety on the message. It's like, what does that mean? Like like, cool.
A spam score of ninety. That's awesome. One of the things I've enjoyed about abnormal is, like, we're we are giving you kind of a peek out of the covers of, like, what are those contextual anomalies that we're looking for? Like, this came from an atypical sender, or maybe it's a known sender, but they don't normally use this display name, for example.
Those are the types of things we're looking for, those small contextual anomalies to say something doesn't quite seem right here, and this would be after those signatures, definitions, threat intelligence have already taken a look at that message. But, anyway, that's that's that's kind of where sorry. Where I will end it for now.
Cool. Yeah. I mean, you guys both mentioned something that I think dovetails together. I mean, you're talking about the the context then.
And and, Ryan, you mentioned, you know, one of the big things for you was understanding your business and understanding what type of data you have and and the requirements there. I think that's huge when we think about our most successful customers at at Virtru. They have a vision of of where they are and where they wanna be and an understanding of the types of data they deal with, whether it's for a compliance framework or just we think we should be doing better, but we need to protect this data for these reasons. I think if you have that understanding of your business, it allows you to go out and find solutions like a virtual.
I can have normal instead of just saying, well, we just need to get a a secure email gateway, and we're we're good with all of our data. But if you have that better deeper understanding, you can start applying solutions that are actually gonna make sense for what it is you're trying to do.
So with that, I will cut it here. I think, you guys both need to have somewhere else to be, so I appreciate you sticking over with us a little bit here. Ryan, Dan, thank you so much for joining us on this edition of, Virtru's Hash It Out series, and, I'd love to have you back because I'm fine to keep the discussion going.
Thanks for listening. If you enjoyed this episode, leave us a five star review, and don't miss us the next time we hash it out. Like, follow, and subscribe to us on YouTube, Spotify, and Apple Podcasts, all linked below.
/Carissa/Events%20and%20Webinars%20Events%20Page%20Card/26-Hash%20It%20Out-Thumbnail-Ep%2035.jpg)
/Carissa/Events%20and%20Webinars%20Events%20Page%20Card/26-Hash%20It%20Out-Thumbnail-Ep%2034.jpg)
