It does that within a secure sandbox, so any malicious code doesn't have a chance to hit anything delicate. But it keeps track of "what the URLs are doing behind the scenes, to lure you into clicking on other links on the page, to focus on the behavior of the URL even before analyzing the payload, if there is one," according to Manoj Srivastava, Cyveillance's CTO.
It takes between 30 seconds and a minute, on average, to run a behavioral analysis on an unknown link, Srivastava said.
Thirty seconds per email is way too slow for any reasonable corporate email filter, but only a tiny fraction of the messages need to be go the slow route. Cyveillance has been running its global security business for 12 years, primarily collecting, analyzing and nullifying security threats for large companies.
The scope of the data is large enough to keep the number of special cases small, he says.
Spear phishing depends on more social engineering as well as bad links. SEPA addresses that part of the threat by identifying people within the company at particular risk for phishing attacks – basing its list on both the company's own recommendations and the results of a red-team attack analysis of the company, Srivastava says.
Basically, if the phishers can tailor their attacks, so can the defenders.
"One of the assumptions is that we need to detect targeted attacks that are crafted for the particular enterprise and individuals targeted within it, so there won't be a lot of spam going around with identical links as the ones aimed at that enterprise."
So, for an appliance, which is supposed to be dead simple to install, SEPA depends on a lot of customized services.
First Cyveillance's giant threat-identification database, red-team penetration testing of the company's existing security to identify individuals at risk and threats particular to that company, then adding more analysis of risks specific to targeted individuals.
The SEPA appliance gets regular updates to its own data, as do the profiles to high-riskers, all of which is a lot more complex and a lot more expensive than you'd expect for an appliance.
There is a one-time fee for the appliance itself – somewhere between $125,000 and $150,000, though the final price is not yet set.
Each high-value target – usually C-level executives and others with access to particularly delicate data – costs another $5,000 apiece.
A year's subscription to the risk-analysis database comes from Cyveillance's OEM and ISP partners, so that cost is variable as well, but should be in the neighborhood of $30,000 per year, Srivastava said.
That's not cheap, and it's not simple, even presented in the form of an appliance.
Social engineering-based attacks aren't easy to stop, and obviously aren't cheap to even address.