Where Industry Meets Innovation

  • Contact Us
  • sign in Sign In
  • Sign in with certificate
mit campus


Search News

  • View All
  • ILP News
  • MIT Research News
  • MIT Sloan Management Review
  • Technology Review
  • Startup Exchange

October 26, 2015

Creating the Next Line of E-mail Security

Astra IDentity offers holistic solutions for individuals and enterprises to defend against targeted e-mail attacks.

Steve Calechman

Technology continually updates. Connections get faster. Phones become more powerful. And, unavoidably, computer attacks get smarter. What was once spam as the point of entry has moved to phishing, with hackers elevating their efforts to personalize fake messages.

Gagan Prakash
Co-Founder & CEO

Astra IDentity

Neutralizing this methodology led Gagan Prakash to start Astra IDentity after graduating from the Sloan Fellows Program in 2011. His software compares new email to old ones, developing behavioral fingerprints for each sender to flag suspicious messages. More than providing training programs, his contextual approach solves not only phishing but also the newer problem of spear-phishing, protecting companies’ information, productivity, and profits.

Pointing out the Pretender
Prakash is a software programmer, and, in 2002, he co-founded an IT company in which the flagship product hosted Microsoft Exchange e-mail as a service. After selling it, and, in hopes of finding his next venture, he enrolled in the one-year MIT Sloan Fellows Program in 2010 and got exposed to novel approaches to business and technology problems. One issue was the changing nature of e-mail attacks. Over the previous 10 years, spam had dropped from 90 percent to 70 percent of all e-mail, while the number of large companies attacked with targeted phishing had jumped from 15 to over 50 percent, he says.

With this new data and his previous experience, Prakash found his next venture and co-founded Astra IDentity with his friend and software architect Shyama Gavulla in 2013. Working with their team of engineers, they developed and patented Impostor Detection. The technology determines if a sender’s new e-mails exhibit the same behavior of past ones, looking at hundreds of message characteristics, such as the sender’s email client, location and whitespace style, “thereby forming a dynamic behavioral whitelist rather than the commonly used blacklisting method,” says Prakash, adding that spam filters only screen bad emails sent to hundreds or thousands of people.

By being lower-volume, phishing is more elusive. It also appears less threatening, while being more dangerous, as it looks like it comes from known entities, such as Bank of America or PayPal. Astra IDentity’s software not only catches phishing, but it also focuses on the growing threat of spear-phishing in which the hacker sends out a personalized message using the name and possibly the email address of someone known to the receiver. Given the greater lack of frequency, spam filters particularly struggle with these attacks, Prakash says.

The standard prevention strategy is employee training. Prakash says that the shortcoming in that approach is people soon forget what they’re told, another session is held the following quarter, and the net result is lost work hours without meaningfully increased protection. More than that, the people who have the most to lose, executives, are the most training-averse, partially due to their busy schedules. Prakash says that the Impostor Detection technology is more pro-active, snagging a questionable email before it enters an inbox and either quarantining it, moving it into a junk folder or flagging it for human review. “In essence, we verify if a sender is who they say they are,” he says.

The Downside of Generosity
While anyone with email is a potential customer, Prakash says that he focuses on the commercial market. Consumers are reticent to pay for software, and size plays a factor — attacks happens on those who have large amounts of data. His clients are typically looking to protect trade secrets and sensitive customer and employee information. Along with blanket installations, Prakash says his technology is applied in pockets, such as in human resources, information technology, finance, and the executive department, since these areas have more access to information and are the targets for spear-phishing attacks.

There are a myriad of reasons for breaches. One growing factor is the use of social media. Employees are sharing work-related information across platforms, providing more details for hackers to use in crafting emails, and often doing it on devices that have no installed protection, Prakash says. Not only has it contributed to a rise in spear-phishing, but, in a sector that constantly looks for vulnerability, the over-sharing has also created a new strain of attack, this one on cell phones. The name? Smishing.

While employee training sessions don’t provide automatic filtering, Prakash says that they do teach mindfulness. October is National Cyber Security Awareness Month, and, as part of the effort, Astra IDentity has on its website a 10-tip guide on not getting spear-phished and a simulation called “Can You Spot the Impostor?” With the game, the company generates personalized emails; the visitor tries to determine if the scenario is legitimate. It sounds simple, but Prakash says only 1 out 7 people score perfectly. “I think there’s a little bit of overconfidence in many of the users,” he says. Among the easy-to-miss elements: a different email address for a known sender, a slight misspelling in the sender’s name, and a different address for the link in the body of the email.

But there’s another reason as well. Hackers go to great lengths to achieve authenticity. In one recent instance at a public company, Prakash says that a hacker pretended to be a senior executive and sent targeted messages to the finance department, requesting a $46.7 million transfer. It was approved and only a small fraction of the money is known to have been recovered.

The Campus Effect
While Prakash’s first experience in studying at MIT was at Sloan, the effects were pretty immediate, he says. He ended up taking classes outside the business school and spent time talking to MIT engineers at the Computer Science and Artificial Intelligence Laboratory, along with going to events in the neighboring Kendall Square area. It was in this environment that he was exposed to advances in machine learning and natural language processing. Astra IDentity was formed, he says, by combining the knowledge of these advances with his experience in business e-mail, software as a service, and big data technologies.

Prakash has lived in the Boston suburbs since 1998, but since graduating he’s taken more advantage of endemic MIT talent and resources. “The education is data-centric. It’s very process oriented,” says Prakash, adding that quality is a key benefit where technology information is regularly being produced. It’s especially useful with email security in which new threats quickly outdate established solutions. “People at MIT are able to focus on the details while looking at the big picture,” he says. “We ourselves keep coming up with tactics to prevent the next attacks.”

MIT Startup Exchange actively promotes collaboration and partnerships between MIT-connected startups and industry. Qualified startups are those founded and/or led by MIT faculty, staff, or alumni, or are based on MIT-licensed technology. Industry participants are principally members of MIT’s Industrial Liaison Program (ILP).

MIT Startup Exchange maintains a propriety database of over 1,500 MIT-connected startups with roots across MIT departments, labs and centers; it hosts a robust schedule of startup workshops and showcases, and facilitates networking and introductions between startups and corporate executives.

STEX25 is a startup accelerator within MIT Startup Exchange, featuring 25 “industry ready” startups that have proven to be exceptional with early use cases, clients, demos, or partnerships, and are poised for significant growth. STEX25 startups receive promotion, travel, and advisory support, and are prioritized for meetings with ILP’s 230 member companies.

MIT Startup Exchange and ILP are integrated programs of MIT Corporate Relations.