The Human Factor 2019

Transcript

1. The Human Factor 2019 Blake P. Sallé – EVP, Worldwide

   Sales and Field Operations [email protected] Nate Chessin – VP, Americas Engineering [email protected] © 2019 Proofpoint. All rights reserved. Proofpoint, Inc. - Confidential and Proprietary

2. Agenda © 2019 Proofpoint. All rights reserved What is ”The

   Human Factor?” 1 By the Numbers – Key Stats Illustrating the Human Factor 2 Tools and Techniques – Social Engineering in the Wild 3 Recommendations 4

3. What is “The Human Factor?” The instincts of curiosity and

   trust that lead well- intentioned people to click, download, install, open, and send money or data.

4. Data Sources Analyzed 4 4 5B+ messages processed daily 79

   of the Fortune 100 7000+ Enterprise Customers 91,000+ Total Customers 300K+ Unique daily malware samples 500B+ threat graph nodes 130 of 140 Largest Global Service Providers Visibility network, email, social, partnerships

5. Attacks Increasingly Target People © 2019 Proofpoint. All rights reserved

   $26B+ 45% of organizations have at least 1 compromised account Exposed losses worldwide from BEC/EAC (June 2016 – July 2019) Source: FBI 36% Of VAP identities could be found via a simple web search Only 7% Of VIP identities could be found online Source: Proofpoint Threat Data. Attackers go after a range of platforms Social engineering is a pervasive and evolving threat “Very Attacked People” (VAPs) aren’t always VIPs Source: Proofpoint Threat Data. Of all phishing involved generic email harvesting 25% 99%+ Of observed attacks rely on user to run malicious code

6. Defenders Don’t Focus on People – Attackers Do © 2019

   Proofpoint. All rights reserved Attack Vectors IT Security Spending Source: 2019 Verizon DBIR Source: Gartner Network 62% Endpoint 18% Email 8% Web 12% 93% all breaches are attacks targeting people, 96% via email

7. 7 Human Factor by the Numbers

8. © 2019 Proofpoint. All rights reserved It’s all about the

   credential! Threat Landscape: Continued Trend Toward More Targeted Attacks

9. 9 © 2019 Proofpoint. All rights reserved And it doesn’t

   work if the target doesn’t click (or you block it) Threat Landscape: Nearly 100% of Attacks are Human Activated

10. URLs Continue to Dominate LANDSCAPE TREND URL Threats Attachment Threats

11. Email credentials top phishing lures in 2018 and beyond 11

    © 2019 Proofpoint. All rights reserved Of 2018 phishing messages targeted generic email credentials 25%

12. Everyone Wants To Be Smarter 12 © 2019 Proofpoint. All

    rights reserved In H1 2019, the most effective lures shifted to cloud storage and Microsoft cloud services

13. When We Click 13 © 2019 Proofpoint. All rights reserved

    - 2 4 6 8 10 12 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Percent of total volume by hour of day Tme of day, adjusted for regional time zones Global Malicious Click Hours AMER APAC EUR GLOBAL ME

14. Social Engineering Lures Why We Click

15. 15

16. 16

17. 17

18. 18

19. Impostor Emails Impostor Attacks rely on a range of identity

    deception techniques to trick users into completing an action. These can include BEC/EAC, but may be used in many kinds of attacks.

20. Top Impostor Email Subject Lines 20 © 2019 Proofpoint. All

    rights reserved “Payment” and “Urgent” subject lines are trending upwards as “Requests” wane

21. Impostor Subject Lines Vary By Targeted Industry 21 © 2019

    Proofpoint. All rights reserved Education is overwhelmingly targeted with “Request” impostor emails

22. Impostor Messages are Delivered During the Work Week 22 ©

    2019 Proofpoint. All rights reserved Of impostor emails are delivered on Mondays 31%

23. Both Targeted and Scattershot Attacks Increase 23 © 2019 Proofpoint.

    All rights reserved Of impostor attacks in Q1 2019 spoofed multiple addresses and attacked multiple identities 47%

24. Attack Index The Attack Index is an aggregate measure of

    risk and exposure for individuals in an organization. Averaging the attack index across industries provides important insights into risk and defensive posture for organizations of all sizes. Combined with views of “Very Attacked People” (VAPs), organizations can better understand their posture relative to the threat landscape.

25. Who Are Your VAPs? © 2019 Proofpoint. All rights reserved

    25 Attack Vulnerability Privilege VAPs Access to Valuable Data Work in High Risk Ways Receive highly targeted, very sophisticated, or high volumes of attacks Clicks on malicious content, fails awareness training, or uses risky devices or cloud services Can access or manage critical systems or sensitive data Targeted by Threats

26. People: Recipient Job Title by Threat 26

27. Very Attacked People 27 = $, $ | $ ≤

    $)*, $ = , = . */ */ = $/ VAPs = ≥ max$ $ − , $ ⋅ , How do we define them?

28. VAPs Vary Seasonally 28 © 2019 Proofpoint. All rights reserved

    VAPs identified today may be different in a month based on changes to threat actor TTPs

29. 29 Recommendations

30. Defensive strategy needs to rival attacker tactics 30 © 2019

    Proofpoint. All rights reserved

31. Understand how your organization is attacked? 31 © 2019 Proofpoint.

    All rights reserved

32. © 2019 Proofpoint. All rights reserved

33. • Adopt a people-centered security posture. • Train users to

    spot and report malicious email: Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. • Assume that users will eventually click some threats. • Build a robust email fraud defense. • Protect your brand reputation and customers in channels you don’t own. • Partner with a threat intelligence vendor. Proofpoint Recommends © 2019 Proofpoint. All rights reserved There is no silver bullet, but a people-centric strategy is the best way to address threats that overwhelmingly target people.

34. Blake P. Sallé – EVP, Worldwide Sales and Field Operations

    [email protected] Nate Chessin – VP, Americas Engineering [email protected] Thank You © 2019 Proofpoint. All rights reserved