Malicious hackers are getting ever more creative with the techniques they use to break into networks to steal data and wreak havoc, but their primary route for opening that door has remained pretty consistent. Email is by far the most popular entry point for setting up and executing phishing, ransomware and other attack vectors, leading to some $2.4 billion in damages in 2021 across business email interactions in the U.S. alone, according a report last year from the FBI.
Today a startup called Sublime Security is emerging from stealth with a novel, collective approach for tackling that problem: it has built a platform, and domain-specific language (DSL), for researchers and security operations people — those defending networks — to write, run and share rules with each other for detecting and blocking the wide range of threats most (and least) commonly delivered via email.
The Washington, DC-based startup has been operating in private beta for over one year, and in that time it’s picked up a number of large multinational customers ranging from government organizations through to companies like Spotify — along with a waiting list of 2,500 others. Now, as it moves into general availability it’s also announcing funding of $9.8 million.
Decibel is leading the round, with Slow Ventures and a number of individuals in the world of cybersecurity participating, including Sounil Yu (the Cyber Defense Matrix and DIE Triad creator); Snort and Sourcefire creator Martin Roesch; veteran CISOs Jerry Perullo and Michael Sutton; Demisto founders Rishi Bhargava and Slavik Markovich; Lookout founder Kevin Patrick Mahaffey; and Phantom Cyber and Pangea founder Oliver Friedrichs.
Sublime covers vectors like malware, ransomware, credential phishing, VIP impersonation and callback phishing. Its code can be applied to Microsoft 365 and Google Workspace enterprise mail systems, as well as run on individual accounts via IMAP. And in addition to its most basic use — inbound email security — Sublime can be used to gather and analyze trends in threats to an organization, block entire domains, run security exercises for compliance and training, and more.
Joshua Kamdjou, who co-founded Sublime with Ian Thiel, said in an interview that he first got the idea for the startup based on work he was doing for the Department of Defense, where he started working as a “white hat” hacker when he was still in high school.
There, he got closely acquainted with the techniques that malicious hackers were using with phishing emails.
“Attackers are constantly coming up with new ways of bypassing defenses,” he said, the problem being that most of those defenses are based around security parameters set up by single security vendors, a “black box” approach in his words. When new techniques were applied by hackers, the onus was upon vendors to issue patches and updates to their systems to account for those.
But then new techniques would come up, and so on and so forth, creating lags and gaps in protection. “The vendor is the bottleneck,” he said. In his own testing, Kamdjou would apply a phishing technique one month, and then return a month later, “and the problem would still be there.”
Kamdjou saw an opportunity to build a solution by tapping into the collective knowledge and working practices of developers. Coming from the world of hacking and coding, using services like GitHub to track and contribute to projects was in his DNA. He applied that crowdsourced model to how Sublime would track and grow its own database of threat vectors and approaches.
To be clear, Sublime is not “open source” and Thiel and Kamdjou said they were still deliberating what aspects, if any, they might potentially make open source down the line. But it does borrow from some of that ethos. The Sublime team has written around two-thirds of the rules in Sublime’s database, with one-third contributed by the community, Thiel said.
Individual organizations subsequently make their own calls about how to customize their own email security, which of these rules to apply and which to leave to the side, putting significantly more power into the hands of customers. That’s been of its selling points so far.
“Sublime gives detection teams the chance to take back control of the email inbox,” Dan Nguyen-Huu, a partner at Decibel, said in an interview. “The community-powered DSL means all of its customers are speaking the same language, sharing rules and being able to remediate better,” he said. “It means they can unite to fight the common enemy.” The approach it takes is unique in the market, he added.
“Defenders know their networks better than anyone, but we weren’t arming them as a community,” Kamdjou said. It’s also how many other security products not associated with email work. YARA for binaries, Sigma/EQL for logs, Snort/Suricata for networks, osquery/EDR for endpoint, Semgrep for static analysis are some of the examples Kamdjou cited.
Interestingly, the number of contributors so far has been only a small fraction of the total number of users that Sublime currently has.
“It’s kind of like Twitter,” Kamdjou said. “Most don’t Tweet, just read, and it looks like our model will be similar with only a small number writing rules and the rest finding those useful.”
Twitter is an apt analogy for another reason: Thiel said that Sublime has largely growth by word of mouth, and a lot of those words have been exchanged on that particular social platform. “Infosec lives on Twitter,” he said.
With new tools like generative AI representing potential ways to increase the volume of more sophisticated and convincing emails, you can see why and where it would make sense to speed up how end users themselves might be able to identify and respond to these threats. That might lead to more contributors, and more Sublime use, over time; what will be interesting to watch is how and if AI models start to get applied to the generation of more defenses, too.