MSP Security Stack Incomplete Without Email Security: Mailprotector CEO
‘What happens is, we're fighting the wrong side of asymmetric warfare. What attackers are doing right now is shooting $50 mortars over the wall, and we’re shooting them down with million-dollar missiles. And it's been this way for decades because the economics work for the bad guys. Simple as that,’ says Mailprotector Founder and CEO David Setzer.
That’s the word from David Setzer, founder and CEO of Mailprotector, who told an audience of MSPs and solution providers at this week’s XChange 2024 conference in Orlando, Fla., that up to 60 percent of cyberattacks already came via emails 10 years ago, and it has only gotten email more serious and more problematic over the years.
“So if you provide any type of security services, you can’t ignore this foundational piece of your security stack,” Setzer said.
[Related: The 2024 Security 100]
The XChange 2024 conference is sponsored by The Channel Company, which is also the parent company of CRN.
Email was designed to be a wonderful communications tool, but it was originally developed using the open SMTP (Simple Mail Transfer Protocol) on which the early internet was based, Setzer said. That was fine in the early days when the internet had a grand total of 15 or 16 nodes, and every user was properly vetted, he said.
The internet has since grown, but still uses SMTP to transfer messages, leaving email open to ever sophisticated attacks and increasingly difficult to protect, Setzer said.
“What happens is, we're fighting the wrong side of asymmetric warfare,” he said. “What attackers are doing right now is shooting $50 mortars over the wall, and we’re shooting them down with million-dollar missiles. And it's been this way for decades because the economics work for the bad guys. Simple as that.”
As email security has gotten more sophisticated, the bad guys have gotten more sophisticated, Setzer said.
“It's not one or two guys in a basement in Russia or China or North Korea somewhere,” he said. “Now it’s large, sophisticated organizations. I mean, they do the same things we do. They have their prospecting teams. They have their closers. [You know] if you've been involved in a ransomware issue, your customers get handed off to the finance department for payment. Literally, these are large, sophisticated organizations, and they're looking to get our users compromised.
MSPs have to change the dynamic now that 90 percent of threats are coming through email, Setzer said. And, he said, over the last couple years, while the total ransomware paid has grown, the average ransomware per incident has decreased, he said.
“Now, it doesn't take a rocket scientist to figure out pretty quickly what that means,” he said. “Smaller and smaller organizations are being targeted. And larger organizations are becoming more hardened to the problem. So what it means is this filtering down further and further to the SMB, and by osmosis, the MSP space, because they're more vulnerable targets, they're easier targets.”
There are attempts to enhance email security, including new email authentication methods being used by Google and Yahoo to help stop attacks, Setzer said. These include SPF to protect against spoofing, DKIM to add a digital signature to emails, and DMARC to protect email users from having an entire organization spoofed, he said.
“Here's the problem,” he said. “Right now, 90 percent of the malicious traffic that we're seeing passes all or at least one of these protocols. Now, don't get me wrong. These are good steps. DKIM, SPF DMARC are good progressions in trying to solve the problem of the open-protocol closed network. They help us identify and help create trust. However, the bad guys know how to use them, and they know how to use them well.”
Email security is pretty good today at lopping off the top of the attacks, Setzer said. What is needed now, however, is a shift to a new generation of email security as current tools such as IP-based domain block lists or antivirus scanning of attachments continue to lose effectiveness, he said.
“We've got to build a trust network,” he said. “And you can't build a trust network without AI, because it would be too hard for the user to manage. It would take this chore and now make it a much harder chore. So you have to use AI, and you have to use neural networks to be able to trust the network.”
Even then, Setzer said, users have to deal with emails that are more like what he termed “unwanted events” but not threats, such as someone promising to deliver 17 qualified leads in the next 72 hours.
The fundamental assumption with the internet and email is that it provides the good things users want, he said.
“And so for thirty-some years as an industry, we're trying to figure out what's bad,” he said. “Well, we have to turn that assumption on its head and figure out what's good.”
Mailprotector’s recently launched Shield, for which the company received its first patent just a couple days ago, is basically noise-cancelling headphones for the email inbox, Setzer said. Shield also adds privacy functionality and capabilities to help prevent the mining and selling of user identities, he said.
The company also provides channel partners with a tool that lets them run a one-time assessment of a customer’s email security posture, Setzer said.
“So you can walk into a customer, you could walk into a prospect, and in about 90 seconds run an email security assessment,” he said.
No email security product will be 100-percent effective, but some products are better than others, said Aaron Schmitz, president of Equity Technology Partners, a Pasadena, Calif.-based MSP.
“Mailprotector has been far, far better both on inbound and on the outbound side than any other product that I've worked with over the years,” Schmitz told CRN. “I think it's just that it's very simple to implement. Their encryption product is also very easy to use. So clients love it as well.”
Schmitz said his financial and healthcare clients are seeing the email issues that Setzer discussed in his presentation.
The big question is really about the nuts and bolts of email security, and if a product does what Setzer said it needs to do, he said. “And Mailprotector does that,” he said.