HelpnetSecurity

Securing the inbox: Where identity, brand and security meet


Getting a verified logo to appear next to your email has traditionally meant having to work with two separate entities. You have to work with a DMARC partner for setting up DMARC and BIMI, then use a trusted Certificate Authority (CA) to purchase a Mark Certificate, and this means having to source a trusted partner for both which delays the project unnecessarily.

Red Sift and GlobalSign have now folded both halves into a single package. Red Sift’s OnDMARC handles the DMARC enforcement side, and GMO GlobalSign brings the PKI that sits beneath BIMI, its Verified Mark Certificates and Common Mark Certificates, the credentials that put a trusted logo in the inbox. One provider carries the whole path from certificate to activated BIMI.

A standard that never had security built in

Most people send and receive email all day without thinking about how little protection the protocol carried from its inception. That gap has turned into one of the busiest entry points for attackers, and the people who defend organizations are giving email a harder look. Rahul Powar, CEO at Red Sift, and Mike Boyle, VP for Identity Certificates and Digital Signing at GMO GlobalSign, laid out where things stand.

Powar started at the root. “Email is unsurprisingly, a very old standard, and it doesn’t really have security built in,” he said. Over two decades it became the way companies reach customers, suppliers, and employees, and the weak spots grew into a real liability. Attacks moved from broad spam toward targeted spear phishing, and the slow uptake of the available protections turned into a material problem for organizations.

Boyle described a habit that keeps email exposed: companies treat it as its own box. “They don’t typically adopt a sort of digital trust model,” he said. Email, in his account, “needs identity, because it’s one of the factors that offsets the attacks that are coming in. Email has evolved to a point now where it should be about trust and should also be about brand awareness of brand protection.”

Attackers see one surface, defenders see silos

The mailbox is often the opening move. Powar called email phishing and impersonation “probably one of the first, and frankly, easiest ways to get inside an organization,” the point where an attacker harvests credentials and sets up wider fraud. Verizon’s latest research points to an email component in most attacks seen in the wild.

Security teams have long treated email, web monitoring, DNS hygiene, and PKI as separate boxes, “whereas from an attacker’s perspective, it’s really all infrastructure,” Powar said. His answer is “a more holistic, thought-through cybersecurity architecture that treats all of these attack surfaces in an integrated way.”

Boyle agreed that the threat ignores org charts. Attackers go after the whole organization and hunt for the weak link, which “can typically be human or technology,” he said.

AI lowers the barrier to entry

Cheap, capable models have changed the economics of attack. “We’re living in a world where this industrialized intelligence is essentially available for anyone who wants it and knows what to do with it,” Powar said, which lets attackers operate at a scale they could not reach before. Language stops being a filter. They don’t even need to be native English language speakers, since the model carries the wording for them.

Boyle sees the same force widening the attacker pool. AI “is literally opening the doors for anybody to use AI in that malicious sense,” he said, and the same tools can sit on defense, handling SOC analysis and filtering. AI can be both protection and harm if it’s used with the right tool set. For bad actors, the cost of entry is near zero.

Powar’s counsel is to get the fundamentals right. “Everyone wants a silver bullet. I think it’s realistic to say there isn’t any silver bullet, but you ensure the basics of good hygiene,” he said.

DMARC as table stakes, BIMI as the visible layer

For sending domains, one control is now mandatory. Send to Google, Microsoft, or Yahoo without at least starting on DMARC with a policy of p=none and your mail is likely going to be rejected or quarantined. If you’re not doing DMARC and you’re on the internet with any scale today, you’re probably doing it wrong.

BIMI, Brand Indicators for Message Identification, sits on top of DMARC and adds a verified logo in the inbox. The appeal cuts across departments. “For the first time, we’re seeing marketing teams and cybersecurity teams wanting to deploy these technologies together,” Powar said. Security gets a stronger posture, marketing gets higher open and CTR rates, and the recipient gets a recognizable mark of authenticity. Red Sift tracks global uptake at bimiradar.com, where adoption has climbed as more brands complete DMARC.

Boyle cautioned that adoption stays concentrated among large enterprises that guard their brand most closely, with DMARC still well below where it should be across the wider market.

Advice for a new CISO or security leader

Powar’s starting point is to drop the idea of a tidy perimeter. The damaging attacks, he said, may never cross the network boundary, traveling from an attacker to a supplier, customer, or investor adjacent to the target. He places DMARC early in the stack, calling it “very important and is actually, as per the current architecture, the first line of defense.”

Behind it sit account takeover detection and phishing simulation. His bottom line: “It’s important for CISOs or security leaders to recognize that these technologies are available, they’re practical, and they’re effective when deployed correctly.”

Boyle added that enabling a control once is the start of the job. “DMARC needs to be continuously monitored,” he said, with brand and identity assurance attached to it. He closed with a line credited to Powar: attackers “need to get lucky one time, whereas a business needs to continuously be lucky or be prepared all of the time.”



Source link