It may be too late. I mean, consider the 100-million stolen customer accounts that made Sony famous, the spear-phishing that proved China pwns Google, the social engineering that proved Anonymous owns everybody.
The cracking may already have spread so far that all the serious crackers are going out of business because all the data with any value has already been stolen.
On the off chance that hasn't happened yet and there are still some companies that realize they have to do more to secure themselves against spear phishing and social engineering than even pretty well-secured companies have been willing to do until now.
Today, security-services company Cyveillance is announcing a new security product designed to be installed easily, as an appliance, but take advantage of the company's real-time threat-management services to block social-engineering attacks through email.
Cyveillance's Social Engineering Protection Appliance (SEPA) plugs in to an email network inside the firewall but in front of a company's mail servers, analyzing email in real time to identify live links, requests for sensitive data and other markers for malicious phishing attempts.
The language Cyveillance uses to describe SEPA's process – email intent analysis -- makes it sound more unlikely than it is, but the process actually makes sense.
It bases its analysis on enormous sets of risk-analysis data Cyveillance gathers as part of the global threat intelligence service – which uses partnerships with ISPs, spam traps, real-time monitoring of threat reports and malware reports to build a database with enough range to give it a good chance to identify links inside email as malicious.
To catch previously unknown sites, SEPA stops email containing links it doesn't recognize, and finds out what would happen if a user clicked the links, by clicking the links itself.
It does that within a secure sandbox, so any malicious code doesn't have a chance to hit anything delicate. But it keeps track of "what the URLs are doing behind the scenes, to lure you into clicking on other links on the page, to focus on the behavior of the URL even before analyzing the payload, if there is one," according to Manoj Srivastava, Cyveillance's CTO.
It takes between 30 seconds and a minute, on average, to run a behavioral analysis on an unknown link, Srivastava said.
Thirty seconds per email is way too slow for any reasonable corporate email filter, but only a tiny fraction of the messages need to be go the slow route. Cyveillance has been running its global security business for 12 years, primarily collecting, analyzing and nullifying security threats for large companies.
The scope of the data is large enough to keep the number of special cases small, he says.
Spear phishing depends on more social engineering as well as bad links. SEPA addresses that part of the threat by identifying people within the company at particular risk for phishing attacks – basing its list on both the company's own recommendations and the results of a red-team attack analysis of the company, Srivastava says.
Basically, if the phishers can tailor their attacks, so can the defenders.
"One of the assumptions is that we need to detect targeted attacks that are crafted for the particular enterprise and individuals targeted within it, so there won't be a lot of spam going around with identical links as the ones aimed at that enterprise."
So, for an appliance, which is supposed to be dead simple to install, SEPA depends on a lot of customized services.
First Cyveillance's giant threat-identification database, red-team penetration testing of the company's existing security to identify individuals at risk and threats particular to that company, then adding more analysis of risks specific to targeted individuals.
The SEPA appliance gets regular updates to its own data, as do the profiles to high-riskers, all of which is a lot more complex and a lot more expensive than you'd expect for an appliance.
There is a one-time fee for the appliance itself – somewhere between $125,000 and $150,000, though the final price is not yet set.
Each high-value target – usually C-level executives and others with access to particularly delicate data – costs another $5,000 apiece.
A year's subscription to the risk-analysis database comes from Cyveillance's OEM and ISP partners, so that cost is variable as well, but should be in the neighborhood of $30,000 per year, Srivastava said.
That's not cheap, and it's not simple, even presented in the form of an appliance.
Social engineering-based attacks aren't easy to stop, and obviously aren't cheap to even address.
Cyveillance may create an SMB version of the service at some point, Srivastava said. Right now it's concentrating on its enterprise customers and the higher cost structure they can support.
Data Loss Protection and real-time security services from companies promise similar results, mainly by identifying sensitive data as it leaves the network, or detecting call-home activity from malware once it's installed.
None promise quite the mix of filtering and analysis as Cyveillance, at least not yet. None of them are cheap, either.
You could argue that Cyveillance is working awfully hard to idiot-proof corporate security and email.
You'd be right, because the quality of idiot, in this case, is very high, as is the ability of phishers to take advantage of them.
Given that humans are the weak point in the defense and strength of the offence, it may be that no systematized social-engineering defense will ever be even mostly successful at blocking spear phishing.
Expensive and complex as it is, though, Cyveillance's approach seems pretty comprehensive.