Podcast Fighting Phishing in a Post-GPT World By MailChannels | 37 minute read Mike Jones, Senior Director of Product Management at Fortra Agari, joins Ken to discuss the past, present, and future of Agari’s fight against phishing. As the originators of DMARC, learn how Mike and the Agari founding team rallied the email industry around this new standard for domain name protection and built a highly successful business helping the world’s largest brands secure themselves against impersonation online. Learn about the impact of phishing attacks on businesses and individuals, highlighting the importance of email authentication and the role it plays in preventing malicious activities. Our conversation concludes with a discussion of the potentially frightening wave of phishing that will be enabled by large language models such as ChatGPT. Don’t miss this exciting and engaging episode! Listen here: Watch here: Read the transcript: Mike Jones: The really bad stuff you see now, it’s probably coming from a real service that has a real reputation established. They just figured out a way to either set up a free, legitimate account there, and then abuse it, and get around some sort of processes. As organizations continue to migrate their email to cloud services and use cloud services more heavily, that’s more and more the target of the attackers as well. Ken Simpson: So you’re a little bit like a therapist for corporate security teams. Mike Jones: Absolutely. Ken Simpson: Sounds like. The following is a conversation with Mike Jones, senior director of product management for Fortra, a cybersecurity company specializing in protecting organizations from the latest cybersecurity attacks involving impersonation and phishing. I hope you enjoy this conversation with Mike Jones of Forta. Mike, can you tell us about the early days of Agari? How did the company get started, and what was the initial vision of the company’s founder, Patrick Peterson? Mike Jones: Yeah, for sure. I actually have to go back a little bit before Agari to tell the whole story. So I knew Patrick when I was the director of the anti-spam team at AOL, back in the 2000’s, and Patrick was a senior fellow at Cisco at the time, and he did a lot of research in the anti-spam area, and we were both really interested in email authentication technologies in our different companies and different roles. Pat really had this vision to make email authentication actionable and practical, because at the time, there was SPF and there was DKIM, and they both existed. They were both used in various ways, but with a lot of limitations, and they weren’t widely adopted, and they weren’t widely used for a practical business reason at the time, but he had a vision to change that. So back then, he had a prototype of that Cisco that he called … It was actually, the URL was whoisspoofing.us, so who is spoofing us, and he used some of the Cisco data to show on a domain basis what is happening with your email authentication, because one of the big things that lacked back then in email authentication was as a domain owner, if I signed my messages with DKIM, or if I published an SPF record, that was kind of it for me. I had no idea what happened after that. There was no reporting or visibility into what receivers actually checked my SPF record, what receivers actually validated DKIM signatures, and if they did, did it pass? Did it fail? Did you do something based on that? It was a complete black box as a domain owner, “What happened to your messages?” So he ended up taking this prototype and spinning it out of Cisco and creating what became Agari in late 2009, and that’s how it all got started. Was just this idea that this could be so much more, and email authentication could be an effective tool to prevent phishing and prevent spoofing and protect people, employees of businesses, and consumers as the recipients of emails. Ken Simpson: Wow. So I mean, basically, Agari got started before there even was DMARC. Mike Jones: Yeah, that’s right. So we were actually members of the founding DMARC.org working group that wrote the DMARC specifications, so yeah, back in those old days, we would get together in working group meetings and calls and hash out all the things that were going to go into the original DMARC spec, which ultimately got published as a internet standards spec a couple years after the founding of Agari, actually. Ken Simpson: Wow, fascinating. So when did you personally join Agari? You joined pretty close to the founding of the company. Mike Jones: It was pretty close, yeah. I was one of the first handful of people at Agari. I joined … Actually, I think according to LinkedIn, I just hit my 13-year anniversary, so … Ken Simpson: Wow, congratulations. Mike Jones: Yeah, thanks. So it was 2010. It was in the month of April, 2010 when I first joined Agari and started working with Pat and the team, and so it was a few months after the actual founding of the company. Ken Simpson: And give us a sense of what Agari looked like back then. What was your office like? How many people approximately? Mike Jones: Yeah. So there was no office at the time. So at the time, I was living in Northern Virginia, having recently left AOL, and everyone worked remotely, so we were entirely remote. We didn’t get our first office until another … Oh, what was it? Maybe a year later, when we got one of our Series A round of funding, and we ended up taking some space in one of our investors in an incubator-spaced office in Palo Alto, so that’s actually where our first office ended up being, but up until then, we were really entirely remote, and then we would occasionally … Like throughout the year, we would have get-togethers where we would all come together in a place for a week to work together, but that’s how we started. We started as a remote company. Ken Simpson: And you’re also a remote company now, pretty much, right? Mike Jones: Yeah. Yeah, absolutely. Ken Simpson: Interesting. So what were some of the biggest challenges that Agari faced in the early days? I mean, aside from the challenge of just being a startup company and needing money and stuff like that, what were some of the technical challenges? Mike Jones: Yeah. Yeah, we definitely had all of those challenges that every startup company goes through, but I think adding to that, we were trying to build a business and start a company that was based on an idea that required industry collaboration. So even before, like I was saying, we had this concept of what ultimately became DMARC. Before DMARC existed in the early days, I actually spent a lot of time going around, trying to convince email receivers that they should participate in this thing, and we had this private mechanism for exchanging authentication data and authentication policies and things like that. All the things that you do with DMARC now, we had all these private mechanisms for doing, and I had to try to convince Google, or Microsoft, or AOL to participate in this because you needed the receivers of email to participate in order to make this valuable for the senders of email, who were the domain owners, who wanted to implement the authentication. So yeah, there was a lot of just trying to make people understand the idea of this, and why we want to do this, and why it would create value for you as a business, why it would benefit you as a receiver, and then, of course, that ultimately led to the idea. I think Google was actually the first entity that we talked to that decided, “Well, we see the value, but we want this to be an open specification that we don’t have to have all these private arrangements to do it, so let’s build a standard,” and that became ultimately the DMARC working group. So then, we were also trying to build a business and go through all the startup pains and participate in a large working group with some of the biggest brands in the world and build an emerging specification that would support what we wanted to do. Ken Simpson: Wow, cool. And so looking back, obviously, in the early days of any company, there’s so many variables that you can’t predict, but looking back with benefit of hindsight, is there anything that you would’ve done differently in the early days of the company, knowing what you know now? Mike Jones: Yeah. I mean, yeah, there’s always things that you would want to do different when you look back. I know, I’m sure you feel the same with your company, when you look at the early days as well, but with Agari, there were so many moving parts. It’s hard to pinpoint any one thing, but I did mention, in my early years with Agari, I spent a lot of time going around a lot of time and effort and energy just trying to convince email receivers to do DMARC, and even after DMARC became a spec, and really, the 800-pound gorillas were all in on it, there was still the long tail of other mid-size email-receiving companies, all the local regional cable companies that have mailboxes and smaller email receivers that we really wanted to build out that DMARC ecosystem, and it was so time-consuming, and so hard to do all that. Maybe if we could have had something built into the DMARC spec earlier or that would’ve made it easier to implement in receivers or made it easier to immediately show the value that could have helped the growth move faster or something like that. That’s one of the things I often think about. Ken Simpson: Right. Got it. So in the early days, perhaps the DMARC standard was a little bit ambitious in its complexity to get to that long tail of implementations by receivers. Mike Jones: Yeah. Ken Simpson: But nonetheless, I mean, obviously today, DMARC is a widely adopted standard that I think everyone pretty much takes for granted in the email industry. Mike Jones: Yeah. Ken Simpson: What were some of the key milestones and achievements along the way that helped Agari grow and become successful, and ultimately be acquired by health systems, obviously now known as Fortra? Mike Jones: Yeah, there were a number of things that I could point to. Obviously, our first customers were huge for us, and so I think we signed three customers around the same time back in the 2011 timeframe. I’m not going to say which was first because I’ll get the order wrong and I’ll upset someone, but JPMorgan Chase, Facebook, and LinkedIn were three of our early customers, and they were also happened to be three participants in the DMARC.org working group as brands who were supporting the DMARC effort, but that’s a pretty good roster of first customers for a startup, so you can’t ask for a lot more than that as your first customers. That was huge for us to have, to be part of that working group with brands like that, that were on board with what we were doing and as our first customers. So then, of course, after that, we actually, the working group published the spec in 2012, so that was a huge milestone, because then, there was something that we, as a business, we could point to this as a published … This is published now. It wasn’t a standards, it was a informational spec by the IETF, but still, it’s a published specification that businesses would pay attention to as a real thing once we actually published DMARC. So that was huge in 2012. A year or so after that, we participated with Microsoft and FS-ISAC on providing some data and research into their Citadel Botnet Takedown, that was pretty widely publicized back in 2013 timeframe. That was really huge for us because even though … I mean, it was Microsoft got most of the headlines, we were mentioned often with it, and it really helped solidify a couple things, our space in the security industry as someone who really could contribute and participate and do good for the security industry, and it also helped solidify and validate the value of DMARC and DMARC data in the security industry. It wasn’t just a pet project that the email security team was going to own or anything. This is a real security tool that can really help, so that was a big thing as well. Ken Simpson: So it sounds like, although it was difficult to get off the ground because when you’re building a standard, you need everybody to get on board, or you need a critical mass to get on board. Once that critical mass did get on board after the publication of the standard, it seems like it kind of took about a life of its own and had some momentum that took Agari in some interesting directions. Is that fair to say? Mike Jones: Yeah, absolutely. Absolutely. In fact, even after that, in 2016, we launched our Phishing Defense product, and that product really grew out of our, I’ll say our DNA as a authentication and authenticity-based company, because with our Phishing Defense product, it takes an approach of validating the authenticity of the sender of an email for a general inbound-advanced phishing product as opposed to necessarily being content being the primary indicator of badness in email. So even as we launched new products, we stayed in our roots of authentication basically. Ken Simpson: Interesting. So kind of bringing us to the present time, what does Agari do today? What are your sort of core offerings, and what are some of the things that differentiate Agari against other providers? I think in the computer security space and in the email security space, in particular, it’s easy to just sort of assume that there’s a variety of different email security services. They all do basically the same thing, but I think the reality is a lot more nuance, so when you think about Agari’s products and services, how do you differentiate? What are the unique things that you guys do? Mike Jones: Yeah, yeah. Yeah, I’d love to talk about that. Of course, as you mentioned earlier, Agari was acquired about almost two years ago now, so we were acquired by HelpSystems, which subsequently last year, rebranded the Fortra. So we’re now Agari by Forta, or sorry, Fortra’s Agari is our brand now, and we’re part of an overall email security and digital risk protection business unit at Fortra, which has some other acquired brands as part of that business unit that we all work together. So we have PhishLabs, Clearswift, and Terranova, along with Agari in the email security space that all fall under Forta’s email security digital risk umbrella, so it’s a pretty comprehensive email security portfolio now within Fortria, but Agari specifically, we have our DMARC Protection product and our Phishing Defense products, so they’re both cloud-based, SaaS products that enterprises can use to protect their customers and their employees from spoofing and phishing, and like I said earlier, they both tend to focus on authentication and identity aspects of email. Ken Simpson: As opposed to content, so- Mike Jones: Yeah, exactly. Ken Simpson: Right, and what is the advantage of focusing on authentication as opposed to message content? How does that make … What makes that more resilient for the kinds of attacks that are going on out there in the real world? Mike Jones: Yeah, I mean, both are important, so don’t get me wrong, I’m not minimizing the importance of evaluating content of email and using that as indicators in detecting threats as well. We do have components of our products that evaluate various pieces of message content as well. It’s really a matter of focus and what we use as the core identification mechanisms in the product, and the thing with identity versus content is the bad guys are always changing the content of their attacks. They’re varying what the content is, whether they’re going to use certain types of payloads or vary the payloads. It’s that constant cat and mouse game that’s existed in email, really, since spam and phishing has been a problem in email, whereas it’s a lot harder to change your stable identity in email. It takes time to establish trust and establish an identity in email, and if you want to spoof an identity, there’s usually indicators that can be detected in the spoofing of the identity, so they certainly try to spoof the identities and try to gain trust through, using a trusted identity, but it’s harder to do that and establish the trust in an identity than it is to just change the content and the message. Ken Simpson: And so to run through an example for viewers and listeners who might not be as familiar with this area as we are, would an example of identity-based security be, for example, the fact that, let’s say that someone is trying to impersonate a construction firm that is building a new building for a university customer, and they want to convince the university’s payables department to change the wire payment instructions so that they can pay millions of dollars to a bank that the attacker controls. They might try to impersonate someone on the accounts receivable team at the construction firm. So is that a good example of where identity, knowing the identity of someone based on their email address and things associated with the email address might be superior to the content? Mike Jones: Yeah, absolutely. That’s one of the classic business email compromise techniques or scams that you’ll see out there, that it can just … You don’t have to have a different link that you’re going to send all the time because the last link you sent got detected and is getting blocked now. You don’t have to develop new malware that’s going to go on your payload. You just send an email, and you put a different name on it, and you try to make it look like or impersonate the real vendor as much as possible to see if you can get that wire payment to go through to your bank account, instead of to the actual vendors. Yeah. That’s a great example. Ken Simpson: So thinking about the landscape of threats that Agari tries to protect customers against, how has that landscape changed over the years, and bringing us to the present, what are some of the biggest threats facing your customers today? Mike Jones: Well, that business email compromise example is still a huge threat, and it’s very effective, but that’s one of the things that, that didn’t just appear out of nowhere. So business email compromise, I think back in the mid-2000 teens is when you first started seeing that talked about publicly, and it’s only grown since then, and it’s grown a lot since then, but before that, business email compromise is really in a response-based attack. It’s not a content-based attack, it’s response-based, and its roots are in the, like the rudimentary attacks that we saw in the early 2000’s that evolved over time, like there was the really basic, bad Nigerian 419 spam. That was response-based. There was no payload in those attacks. It’s someone sending you an email saying, “I want you to do something and send me money.” Right? Now, obviously, most people, that became a joke, but some people fell for it, or else it wouldn’t have continued, and that evolved into other types of response-based attacks like romance scams and the stranded traveler scams and all these things. They kept getting a little more sophisticated, and they were originally focused on consumers and those types of recipients, but then it evolved into businesses. Even now since the mid-teens, the original BEC attacks were like spoof your domain and do some sort of a spoof of your CEO. That was the most common thing, and the CEO spoofs are still common, but now, your example was spoofing a vendor or someone else in the organization who’s not quite the CEO, but might be someone you’d be more likely to talk to, right? So they even keep evolving the BEC attacks to make those more refined and more effective. Yeah, it’s still a problem. It continues to evolve. I know I was looking at the FBI’s 2022 report recently, their Internet Crime Complaint Center report, and over the last few years, BEC has always been one of the top money … The victim losses, where they tallied the money from the victim losses, that’s always been near the top, and it still is. It was number two this time, but if you looked at the number of victims, it was somewhere around eight or nine, so it’s among the most common, but it’s not the most common, but in the money that they get from it, it’s right up there at the top, and it was substantially more than the third place. I think it was close to three billion in victim losses reported, and the third place was under a billion. So I think it was triple the next most valuable crime that they were tracking, so it’s really effective still for the bad guys. Ken Simpson: And these are reported losses. Mike Jones: Yes. Ken Simpson: These are just … You can only imagine the quantity of losses that are not reported because companies are embarrassed or didn’t know that they could report them or what have you, right? Mike Jones: Absolutely. Absolutely. Unreal. Yeah. Another thing that we’ve seen kind of evolve and change is the abuse of legitimate services and infrastructure. So again, back in the old days, massive blocking of IP ranges, and botnets, and newly registered domains was really common and effective, but again, it was always the cat and mouse thing, and that still happens. Those are still important techniques in fighting abuse, but the really bad stuff you see now is probably not coming from dedicated spamming or malicious infrastructure, it’s probably coming from a real service that has a real reputation established, and they just figured out a way to either set up a free, legitimate account there, and then abuse it, and get around some sort of processes that would stop the abuse from that service or take over a legitimate account using a legitimate service, is another common thing, but yeah, as organizations continue to migrate their email to cloud services and use cloud services more heavily, that’s more and more the target of the attackers as well. Ken Simpson: Yeah, I feel like a lot of the attacks are basically just between mail servers at Microsoft and mail servers at Google, and then back again in the other direction, and so the idea that you can just block suspicious countries or autonomous systems is not going to play anymore, not nearly as well as it used to. Can you give us an example of a customer that you really saved with your technology? Can you give us an idea of a real success story? Mike Jones: Yeah. I don’t have customer names to share, but I do have a story that’s one of my favorites, and this is from relatively early days of Agari and DMARC, maybe mid-20 teens. So we had a customer. It was a large well-known company. If I said the name, you would easily know it. We were working with them to implement DMARC on their domains, and they had a particular domain that they didn’t use to send email at all. They used the domain, but they didn’t use it for email, so we said, “Let’s …” We could see in the DMARC data when they published their first monitor policy, the abuse. It was clear and apparent, and we knew that all of that traffic was abusive, so it was pretty low-hanging fruit to go just publish the DMARC reject policy for that domain, and as soon as we did it within two days, I want to say, we were looking at the reports, and there was no more traffic for that domain. It wasn’t that we were all of a sudden seeing blocked traffic. It was gone. Like the traffic disappeared, and what you could see was the day the reject policy got published, you can all of a sudden see the shift from no action on messages to reject actions, and then they just quit because they realized, “Hey, my stuff’s not getting delivered anymore. This isn’t worth my time,” I’m assuming, and then the traffic just dried up, and we’re talking tens of millions of messages a day that were being delivered that just disappeared off the face of the earth. Well, I love to talk about that story as a DMARC success, and we’ve seen that, maybe not quite that drastic, but that type of example over and over again over the years with DMARC. Ken Simpson: Wow. So you closed one door of attack, and then the attackers just gave up on that entirely. Obviously, they probably moved on to other things, but at least that low-hanging fruit method of attack is no longer an option for them. Mike Jones: Yeah. Ken Simpson: So generally, Agari obviously works with a lot of the largest companies and organizations in the world. Your customer list is amazing. The largest brands that we can all think of seem to be your customers, so how do you work with customers? Obviously, when I think of the security budget at a large bank, for example, it could be in the low single digit billions per year. Mike Jones: Yeah. Ken Simpson: How do you actually work with these huge organizations who already have teams of engineers and software developers internally who can build all kinds of things? How do you engage with these highly sophisticated organizations to help them actually improve their security? Mike Jones: Well, of course, we’re not … We’re usually working with a smaller team that’s contained within that larger security organization at a large enterprise, but we try to have a lot of touch points with them. We have a really good customer success team. We have a really good support and services, organization. So from the time they become a customer, helping them with their onboarding, making sure they really know our products well and know how to use the products. We put a lot of time into that support and have a lot of touch points to listen. Really, the key is always to listen to their problems, even when they’re a new customer, when they’re a prospective customer. Once they become a customer, you always have to be listening to their problems. So once they started using our products, “How did that change their problems? Do they have new problems now that they want to tackle?,” because we help them with others, and just listening and learning to the customers and use that data to guide what we want to build and change going forward, and really, it’s all just to make their lives easier and make their emails safer. So yeah, that’s really the core of it, listening, having enough touch points that you can really understand what their problems are. Ken Simpson: So you’re a little bit like a therapist for corporate security teams. Mike Jones: Absolutely. Ken Simpson: Sounds like. Mike Jones: Yeah. Ken Simpson: Okay. So we’ve got the present. Agari’s well-positioned. You’re now part of Forta, three other companies in the same division as you, obviously all working together in a synergistic way to help customers, but let’s look ahead to the future. What do you see as the biggest challenges facing the cybersecurity industry in the years ahead? How are you, as the product director, making sure that Agari is well-positioned for the future that’s coming at us, because it often comes a lot faster than we would like in this particular area? Mike Jones: Yeah. So one of the things I see, and I observe this talking to customers, and some customers will talk about it themselves as a biggest issue. It’s just the information and security today of information overload. Enterprise security teams have too much to deal with, and they don’t have enough people who are trained and expert enough to deal with it all, so they have too many products that are producing too much data, too many alerts. There’s too many attackers to keep track of. There’s too much security news out there to follow effectively. It’s just it’s this constant inundation of information and data and information overload. Like I said, I can see it in the customers when I talk to them oftentimes, like I said in my previous comments, talking about listening to them and trying to understand what their problems are. Most people who work in information security, especially at large enterprises, they just want a way to simplify their lives and make it all manageable so they can act on the most actionable things and make a difference where they need to and not have so much noise around them. So yeah, the last thing they want is more products to make more alerts, and of course, there’s products that have been developed out there to try to aggregate and solve some of these problems, but then again, if those products don’t get implemented well, they can actually contribute to the product problem by just adding more noise and alerts, so it’s tough. It’s tough for people. So how does my job at Agari relate to that or help with that? Well, the fact that we got acquired a couple years ago and that we’re now part of this larger organization, trying to build out a security, an email security platform, is really exciting to me because before, with our couple Agari products, we were a point solution, to be honest, in an enterprise’s security portfolio. They could not solve all of their email security problems, let alone, a wide variety of total security problems with Agari products, but when you become part of a larger organization, we have a lot more capabilities across all of the products that we have within Fortra to help a company do more through a single vendor that allows that … It’s an opportunity to make it simpler for them. Now, it doesn’t just happen that way. When you bring together a lot of different companies and products, it is a lot of hard work to bring all that stuff together in a cohesive platform that does ease the burden on the enterprise that you want to support, but that is our strategy and our goal at Fortra and I think we’re pretty well-positioned to do that over the coming years and make a security solution that our customers can reduce the noise and reduce the operational burden that they need to respond to security threats. Ken Simpson: So I know in the security space, secrecy being clandestine about your plans, how you’re going to mount to counter-attack is something you have to always be conscious of, but can you give us any sneak peek about what might be coming around the corner from the Forta Agari team? Mike Jones: Yeah, for sure. So along the lines of what I was just talking about, about building out this comprehensive platform, and it is a lot of hard work to bring different products together, but I know right now, one of the projects I’m heavily involved in, and I don’t mind talking about this because we’re out there talking to all of our customers and prospects about it right now anyways, is building out, taking what we have now with Phishing Defense as a cloud SaaS enterprise email platform, and building in some of our Clearswift capabilities into that platform. So right now, it’s pretty common in an enterprise that moves to the cloud, that they put a secure email gateway in front of their cloud mailbox environment, and then they have another additional security tool like Agari, that might be interacting with that environment. So the whole idea of moving to cloud email is that you should simplify your lives, but when you start putting on too many different products and pieces, again, you actually make it more complicated. So what we want to do is we want to say, “We have a Clearswift security mail gateway.” “We have Agari Phishing Defense. Let’s make a single cloud email security platform that’s a single deployment, a single interface, and it gives you the capabilities that you would expect to get from a security mail gateway and an advanced cloud phishing solution, and it works and integrates seamlessly with your cloud mailbox environment, and just actually achieves one of those things that an enterprise wants to do to simplify in their lives, where I now have a manageable email security platform,” and that’s really exciting to me. We’re in the middle of developing that right now. We’re looking to probably launch a beta of that in the middle of this year, so that’s really exciting. Along with that, we’re also working on integrating some of the other intelligence feeds from some of the PhishLabs products into our Phishing Defense products, so again, instead of making the customer go take other third-party intelligence sources and mash it all together on their side, we’re just taking intelligence feeds from different security products within Fortra. We also have something called our Threat Fusion Center at Fortra that aggregates threat intelligence from different product areas within Fortra, and we’re also starting to pull threat intelligence from that into the Agari products, so our customers get the benefit of all of these different Fortra security intelligence feeds, but all in their Phishing Defense product. They don’t have to do anything extra for it. Ken Simpson: So working to cut down on that information overload that you were talking about earlier? Mike Jones: Absolutely. Ken Simpson: Yeah. Huh, that’s cool. So obviously, one of the things that’s on the top of everybody’s newsfeed lately is large language models like GPT, the potential rise of Artificial General Intelligence, and I think in the security industry, we’re all kind of thinking about what that might mean for security. Obviously, if good guys can code up a few lines of code that interact with open AI’s, APIs, and make GPT do all kinds of sophisticated things, and that quite intelligently, the bad guys can do the same thing. So how do you see the role of artificial intelligence and machine learning evolving in the cybersecurity industry in the next few years, if not months, and what is Agari doing in the AI space to keep ahead of the curve? Mike Jones: Yeah, so I guess first, my hope is that AI and ML will help alleviate some of the information overload we were just talking about, by the integration of these advancements into security tools, reducing that noise and complexity that teams, that humans have to deal with. That’s my hope, but like you also just mentioned, the attackers, the bad guys, they’re going to be using this as well, so they’re not going to make it easy, right? It’s not like those tools are only going to be available to us, as security vendors or enterprises in implementing the security tools. So that’s one complication there. Then also, we have to really make sure in the cybersecurity industry that we don’t turn these advancements into buzzwords, that makes things more confusing for the security buyers who have to choose and implement tools, because I’m sure you see this too, there’s just too often that a new technology becomes more of a buzzword that everyone talks about, but then, that just leaves more work on the part of the buyers to weed through that noise to decide, “What does this really mean?” “How does it really benefit me?” So that’s another challenge I see going for … I mean, think it’s already out there, but I don’t think it’s easy to deal with for security buyers, but at Agari, yes, we do use ML models in our detections in our products, but we don’t try to say that our ML models are going to be the silver bullet that solves everything. We also, we combine the ML models with traditional methods like rules and known indicators and other threat intelligence feeds, and we try to make it so that it all works together in a way that makes sense. You have to choose the right tool for the problem you’re trying to solve, so if you don’t need an ML model, if you can solve something with a simple rule, then use the simple rule, but if you have a more complex product that requires the advanced technology, then use it and implement it in a way that makes sense in the product and to the consumer of the product. Ken Simpson: And I suppose if you’re having difficulty figuring out how to code that up, you could always ask GPT to do it for you. Mike Jones: And you always get the right answer. Ken Simpson: Yeah. Oh, you always get the right answer. It never hallucinates incorrect answers. So where do you see Agari going in the next five years? Always difficult to look out into the future that far, but you are the director of product, you’ve got to be thinking years down the road. Where do you see things going? Mike Jones: Yeah, I think the strategy that we’re working on right now to really incorporate the Agari products and the Agari capabilities into an enterprise platform that will help enterprises simplify their lives is our strategy over the next several years, and so that’s where I see us really continuing to focus. Until we can say that we’ve achieved, or at least we’re well down the path of achieving that goal, and that we are becoming a valuable partner and vendor to the enterprises and simplifying their lives, I think we’re going to keep that as our core strategy going forward, but in addition to building out that platform, our individual product capabilities have to keep evolving as well. From what we’ve seen, there’s no reason to believe the attackers are going to stop and give up and stop evolving. When you look at that Internet Crime Complaint Center report, they’re making a lot of money off of it, so they’re not going to stop, and they’re going to keep changing, and there’s also, like enterprises are locked into this cloud email strategy now as well, so maybe in the mid-’20 teens, it was still … That was the projection, but now we’re there the. It’s rare that we talk to an enterprise now that its lease isn’t partially in the cloud for their email, so that’s going to continue as well. So we have to keep helping them mitigate those evolving attacks in their cloud environments, and we want to continue to be an important part of that. Ken Simpson: Now, I might be going slightly off-script here, but I was driving down the highway the other day, and I was going through this mental exercise of imagining what the world might look like, assuming that the bad guys really start to use GPT-like technologies to conduct business email compromise attacks. So whereas today, if you want to promulgate a BEC attack, you have to actually write the email messages, you have to respond when the person responds to you. Right around the corner, presumably they’re just going to have GPT hooked up and writing the emails and managing the responses, almost like just it’s a chat interface with a goal of changing the wire payment details or whatever, and then the machine will just go and hit 500 different enterprises in parallel with the same BEC attack, but with human-level, human quality writing. So my imagining is that the volume of these attacks could suddenly go up by 500 times, 1,000 times, 10,000 times. What should enterprises be thinking about in the context of large language model enable the tax? What kind of tools should they be rolling out in order to get ahead of that problem before it becomes a super severe problem? Mike Jones: Yeah. Well, first of all, I think that that sounds like a reasonable use of the technology by the bad guys. Why not take what’s effective when I have a room full of people right now sending the emails and managing the responses? If I can automate that and amplify my scale, why wouldn’t that be my attacker business strategy? So I think that certainly sounds like a reasonable use of the technology from the bad guys’ point of view from the enterprise trying to defend against that. So at least in that particular example, it doesn’t actually change the nature of the attacks, it changes the scale of the attacks, so you really have to make sure that your defenses are ready to handle the scale of those attacks, and defenses in email, as you know for an enterprise, are multi-layered. So it’s not just your inbound email detection, that type of defense, it’s also making sure your employees understand, “What are our policies around these types of behaviors in email?” If you know that your employees should never be responding to wire transfer requests or HR data requests, make sure your employees are well-trained on that and understand that under no circumstance, will this be legitimate no matter how legitimate it looks, and make sure that they also train them on the scenarios, like you just mentioned. These could become more prevalent, and we want you to be aware that that’s the case, so be aware of that, but I think it’s really just making sure that your defenses are in place and that you’re ready for that type of scale of the attacks. Ken Simpson: Yeah. As I think more about this problem area, I have to say I agree with you. There’s not really any way that you can stop the attacks more effectively, because if they really are human-like, then they’re human-like. People are going to get deceived, but what you can do is use technologies like what Aari offers, to understand the identity of the party that is talking to you, because ultimately, even if an attacker has 1,000 bots attacking your organization with fake identities, the thing they can’t get around is the fact that those are fake identities. Mike Jones: Right. Ken Simpson: Right? You could have more attacks, but they’re all going to be fake. In some way, it makes the signal rise above the noise a bit better if they do this, right? Mike Jones: Yeah. Yeah, I was actually just thinking that, that if … Depending on the nature of how it’s done, there are times where the higher volume or frequency of that type of attack actually makes it easier to catch than- Ken Simpson: Yeah. Fascinating stuff. Well, look, I want to thank you for joining me today, Mike. This has been a wonderful interview. It sounds like Agari is up to some really interesting things, as well as your colleagues at Forta, and we all certainly look forward to seeing what comes out of the box there at Agari in the coming few years. So thank you for joining me. Mike Jones: Yeah, thanks for having me. I really appreciate it, Ken, and this was fun. I was glad to do it.