Cofense Advances Email Security With Updated Tools

Cofense is updating its Triage phishing detection technology and is introducing the Vision product to help organizations identify, orchestrate and remediate email security across distributed enterprises.

Cofense Vision

Cofense announced the launch of its new Vision email security product, alongside updated capabilities for its Triage platform, on July 30.

Cofense is positioning its combined email security offering as a Phishing-Specific Orchestration, Automation and Response (SOAR) platform. Cofense Vision provides visibility capabilities for discovering email threats that are present across an organization. Vision complements Cofense's Triage platform, which has been improved with new playbooks and workflows to help organizations stop phishing attacks that are in progress.

"Incident responders have been able to take the barrage of email and, with the help of Triage, cut out the noise and find the needle in the needle stack," Rohyt Belani, CEO and co-founder of Cofense, told eWEEK. "Now what we've got with this new product Vision is the ability not just to find the bad, but also respond to the bad."

Cofense was originally called PhishMe until the company rebranded on Feb. 26. The company still sells its PhishMe phishing simulation and training product, along with the Triage and new Vision products, to help organizations combat email phishing security threats.

At launch, the Vision capability provides integration with Microsoft Office 365 for cloud-based email and Microsoft Exchange email for on-premises deployments. Belani said that with Vision, Cofense is also providing organizations with logging and auditing trails for phishing emails to help hunt for and identify phishing threats across a distributed organization. Vision's primary user interface is available within the Triage product as an additional paid capability. That said, Belani said that if a customer for whatever reason chooses not to buy Triage but still wants the Vision capability, they will have the option to buy it as a stand-alone offering.

How It Works

Vision provides a deep level of integration with both Exchange and Office 365 that goes beyond just basic API integration with the email services, Belani said. Cofense's technology is also able to collect audit and log trails, in addition to running a clustering algorithm to correlate phishing emails, he added.

"There's a bit of a secret sauce there with the natural language processing for phishing detection," Belani said. 

Cofense also provides granular rules configuration options that enable organizations to set policies for how they want to identify and treat potential phishing emails that are detected. Belani said Cofense enables users to manually create search criteria so rather than just searching for an exact match of a given phishing email, an organization can search, for example, for any email that matches the first two words in the subject line.

Business Email Compromise

Among the most successful forms of email attacks today is Business Email Compromise (BEC), which the FBI estimates has resulted in a staggering $12.5 billion in victim losses over the last five years.

Belani said BEC is different than a typical phishing attack because it doesn't include links pointing to malicious websites or attachments with malware. With Cofense Triage, users within an organization can report suspicious emails, which can then be further examined with Vision. He added that the combination of technology and humans often is the best way to identify and stop BEC attacks.

Triage Playbooks

Alongside Vision, Cofense is updating Triage with new workflow and playbook capabilities to help orchestrate phishing investigation and response.

With Triage, organizations can now create playbooks, so that any future emails that are reported that match a given set of criteria are then passed on to another function for further investigation, Belani said. That investigation can come by way of Cofense's integration with other technology vendor products including Palo Alto's Wildfire sandbox. The playbooks can also be set up to automatically quarantine emails that meet certain criteria.

In addition to the playbooks, Belani said Cofense has also performed a significant overhaul on the underlying Triage engine to improve performance and responsiveness. He noted that the engine was originally written in the Ruby on Rails programming model and has now been redone in Java, running in containers. The updated engine is now also better at prioritizing phishing email reports, helping to improve organizational efficiency, he added. There is now also a more cohesive scoring mechanism for identifying phishing that benefits from Cofense's own analysis as well as additional third-party tool analysis that an organization might be using, such as Palo Alto Wildfire.

Looking forward, Belani said Cofense will be working on providing further automation capabilities to its PhishMe simulation product, which will also benefit from the playbook model.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.