December 28, 2024
How To Get the Most From Your Security Team’s Email Alert Budget
We’ll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we’re all struggling to keep security teams fully staffed.  Given that reality, security teams need to be able to monitor and respond to threats

We’ll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we’re all struggling to keep security teams fully staffed.

Given that reality, security teams need to be able to monitor and respond to threats effectively and efficiently. You obviously can’t let real threats slip past unnoticed, but you also can’t afford to waste time chasing false positives.

In this post, we’re going to look at some of the ways Material Security‘s unique approach to email security and data protection can dramatically–and quantifiably–save your security teams hours each week while improving the effectiveness of your security program.

What’s Your Alert Budget?

Before we dive into the “how,” let’s take a moment to look at why efficiency is critical in security operations. To do that, let’s think about how many alerts can your security and incident response teams realistically triage, investigate, and respond to in a given day. Just like your department has a budget that limits how much money you can spend on people and tools, your security teams have a limit to the amount of time they can devote to responding to threats on any given day. That’s your alert budget.

That number will change day-to-day, of course, depending on the severity and complexity of the incidents that pop, the number of critical strategic projects your team is working on, and myriad other factors. But there is a limit. And just as you can’t afford to waste your limited financial resources on redundant tools or software that provides no value to your team, you can’t afford for your teams to waste their alert budget investigating duplicate alerts, remediating the same issue over and over, or chasing false positives.

The efficiency with which your security team spends their alert budget is just as important as how you spend your money, if not more so. Now let’s dive into how we help improve that efficiency.

Balancing Accuracy and Sensitivity

No matter how many alerts your team receives, there are a limited number of hours in any given day that your team can devote to responding to them. Material’s approach to phishing has been built on the philosophy that we need to help our customers make the most of their time. The alerts we generate must both catch as many threats as possible–while also generating as few false positives as possible.

“Precision” and “recall” are terms that will be familiar to a data scientist, but may not immediately ring a bell for security folks. In the context of email detections, precision is a measure of how many emails flagged as malicious are actually malicious, while recall is a measure of how many of the actual malicious emails received are flagged by the system.

A security system that generates very few false positives has high precision, and a system that catches nearly all the threats it sees has high recall. At a certain granular level, there is some tradeoff between the two: as you can imagine, you can lower the number of false positives you generate by decreasing the sensitivity of the detections: but decreasing the sensitivity will often lead to true positives being missed as well. Conversely, you can minimize those missed true positives by turning the sensitivity way up, but doing so will generate more false positives.

The focus at Material has been to build a detection engine that balances the two effectively, and surfaces the malicious messages that you truly need to focus on. In today’s increasingly-complex threat environment, no single layer of protection is sufficient–and no single method of detection can possibly strike the right balance on its own. To that end, the Material Detection Engine is made up of four key components:

  • Material Detections: A combination of machine learning techniques with rules built by our dedicated threat research team. AI and ML are great for connecting dots and finding relationships that humans may miss, but for all the advancements in AI lately, there’s still no replacement for the insight and capability of human expertise. Material Detections are the best of both worlds.
  • Custom Detections: Every organization and every environment are unique, so we give customers the ability to create custom detections based on what you’re seeing across your user base or out in the wild.
  • Email Provider Alerts: Google and Microsoft periodically issue alerts for phishing emails that they’ve detected post-delivery; we ingest and process those alerts and add them to our detections.
  • User Reports: Material automates your abuse mailbox, from ingesting user reports, consolidating similar messages within a single case, and applying automated protection immediately while providing flexible remediation flows to security teams.

All of these facets combine into a powerful and incredibly precise detection platform that gives our customers powerful protection without wasting their time with false positives and noise–striking what we believe to be the right balance between precision and recall. But while effectively balancing accuracy and sensitivity is critical, it’s not enough: a modern email security platform also needs to streamline security operations themselves.

Fool Me Twice, Shame on Me

There’s been a noticeable uptick in email attack campaigns that are not just wide-ranging but very personalized. There’s debate about how much of this can be attributed to generative AI–the prevailing assumption was that the explosion of generative AI would give adversaries a new bag of tools to play with, but research like Verizon’s 2024 DBIR show little meaningful impact on attacks and breaches at this point.

Regardless of whether these attacks are AI-generated or not, there’s no denying they’re on the rise. Sure, we all still get the generic and transparent ‘are you available?’ messages from our “CEOs” when we first join a new company. But we also get emails with fake invoices coming from domains that are spoofs or homoglyphs of trusted partners and vendors. We see complex pretexting attacks laying out completely believable stories from senders who appear to have connections with us. We receive emails from spoofed or homoglyph domains that fool even the most conscientious user.

And often these attacks are repeated across an organization, but tailored to each recipient. Not only do they evade native email security controls and make it through SEGs, but they appear as individual attacks. Subject lines, senders, and even body content can vary from email to email, making it hard to easily group them together–meaning your security team has to burn through multiple cycles to investigate and respond to dozens or hundreds of iterations of the exact same attack.

Material helps security and IR teams address this problem with automatic clustering of suspicious messages. When Material detects a potential threat, it automatically creates a Case within our platform. It then scours the entire environment for messages that match that case, based on a range of criteria. It looks for similarities among the usual fields, of course: matching senders, matching subject lines, matching body text, etc. But it also looks for things like the URLs embedded within the messages and attachment, matching attacks that are otherwise impossible to group by other means.

Material creates cases for all detected messages, and clusters similar messages together, simplifying investigation and remediation.

And when messages are clustered together in a single case, it makes triage, investigation, and even remediation significantly simpler. Speedbumps by default are automatically applied to all the messages within the case–so your users will get a warning that the message may be malicious before your team even has a chance to investigate. And once you’ve investigated and applied a remediation to a single message within the case, every message in that case–even matched messages that are delivered after your investigation–receive that same remediation.

We’ve already seen powerful examples of how this helps our customers in the real world. One Material customer recently told us that they tracked their phishing email investigations over a three-month period. In those 90 days with Material Security’s help, their SOC saved over 300 hours of time investigating and responding to phishing emails. All those hours stayed in their alert budget to deal with other pressing matters.

Harnessing Your Organization’s Collective Intelligence

Today’s workforce is well aware of phishing threats. That doesn’t mean they don’t still fall for them, of course, but it means they’re on the lookout for suspicious, poorly-worded, or simply unexpected messages.

And it’s important to get it right. No single line of defense is going to catch all inbound email threats, and for all the incredible advancements in AI and machine detections, sometimes there’s no substitute for a keen-eyed employee noticing an email just doesn’t pass the sniff test.

The downside is that handling user reporting can also be a significant drain on your security team if not handled correctly. Duplicate reports, harmless emails flagged for review, the need to respond to the user(s) who flagged… when you add up the minutes all of these actions require over dozens or hundreds of reports every day, it can be a significant time suck.

Material automates the full lifecycle of user report response, applying immediate herd immunity to all messages within a reported message case across your entire organization.

Material cuts away the day-to-day backend slog of user reporting, automating your abuse mailbox to both speed remediation and save your security team time. Material automatically adds a speedbump to reported messages across your entire user base, providing an immediate layer of protection while your security team investigates the issue.

Granular remediation options allow your teams to speedbump, block links, or outright delete reported emails that turn out to be malicious. And thanks to case consolidation and similar message matching, when you’ve investigated and responded to one email, you’ve responded to every similar message in the entire case. Finally, Material automatically responds to reporters with an acknowledgement message–that you can change or update as your investigation proceeds if you wish.

Material simplifies and streamlines the process of ingesting and responding to user reporting, while adding immediate protection to provide air cover for investigations.

Advanced Protection You Can Trust, Efficiency You Can Take to the Bank

Your security teams have to juggle enough as it is. With Material Security, they’ll chase far fewer false positives, triage and investigate phishing cases faster, and spend less time on administrative busywork with user reporting. Material frees up more of your alert budget so you can spend it on what really matters.

To see how much time you can give back to your security team, contact us for a demo today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.