I wrote last week about our adoption of INKY and teased about the INKY logo. To spare you the searching, I have included a screenshot of the INKY logo:

So, what is it about INKY? Today I want to take a deeper dive into INKY and why I am so enthusiastic about it. (And I apologize—kind of—for the easy rip-off of the movie title.)

A Sidebar on Product Differentiation

Technology companies approach me all the time, hoping to convince me to sell their kit. I ask them two questions.

• Who (and what) do you compete against?
• What makes your product/service different than your competitor’s?

Notice that I asked about what is different. I did not ask what makes their product/service better.

I see some issues with a focus on “better” as a product (forgive me if I do not want to write “product/service” another million times in this post).

• First, “better” is in the eye of the beholder. Way back when, we used to talk about “speeds and feeds.” How much throughput and how many kinds of connections. And for some products, being faster was enough to be better. It is often more complicated to say what makes a product better than another. Most of the time, different people will have different opinions about what makes a product “better.” If we cannot agree on what constitutes “better,” I am not going to convince you to buy the new thing I am selling.
• Second, a company must continually invest in their product to keep it “better” than the competition. I was buying epoxy glue the other day. I needed to choose among four or five different products, each advertising itself as creating a bond that would hold a different amount of weight. How much weight did I need this bond to hold? 5 pounds? 1500 pounds?

Imagine if you introduce an epoxy glue and tell the market it is better because it creates a 10-pound bond, vs. the 5-pound bond your competitor can make. Can you guess what happens next? That is right. Your competitor introduces a glue that can hold 15 pounds. And on it goes.

INKY is in a New Class

I took you on that product sidebar because if you look at the INKY marketing material, you will see them talk about INKY as being “better.” Maybe I am putting too fine a point on it, but I disagree. I think about INKY as being in a different class of anti-phishing and anti-malware product.

Most anti-malware products rely (in part) on pattern-matching. They compare a file’s “signature” (its checksum) against a list of known malware files. If the signatures match, the anti-malware product concludes that the attachment is dangerous. Signature-based analysis is limited to catching known malware exploits. It cannot catch zero-day exploits because they do not have a recorded signature.

This is a brute-force method of defense. It is like blocking emails based on the sender’s email address or blocking spam calls based on the calling number. It works, but only for that one instance. You cannot apply the solution to similar problems.

Three Things About INKY

What is it about INKY that puts it in a different class of solution?

• INKY (“she,” according to the INKY site) uses computer vision to catch logo impersonation. You have no doubt seen those emails that include (seemingly) the logo of a brand you trust—Microsoft, Adobe, etc. Scammers include the logo to increase the chance that users will trust the message as legitimate. Users will see the logo, but they are not going to do any in-depth analysis to see if the logo is the real thing. Computer vision does the in-depth scanning and uses it to flag suspicious emails. Computer vision is not enough to provide a complete anti-malware and anti-phishing solution. However, it does address one important avenue for phishing attempts.
• Another thing about INKY is that she (I fell for it, HA) uses “social profiling and stylometry” to identify impersonation attempts. I am not clear on what “social profiling” is. I think it refers to learning the communication patterns of your organization’s high-profile users (CEO, CFO, etc.). Who does this person communicate with (via email) on a regular basis? And what about INKY and “stylometry” (I admit, I had to look that one up.)? INKY pays attention to a user’s writing style. When INKY sees a message from someone that deviates from their typical writing style, it flags the message.
• As I described earlier, one thing about INKY is that it parses file attachments and examines each part for malware. (No, I do not know what the different file parts are.) INKY looks at how these file components behave—what do they do—as part of determining the safety of a file.

What INKY Tells Us About the Future

As I said earlier, INKY represents a new class of anti-phishing and anti-malware solution. INKY is using machine learning and artificial intelligence to catalog behavior. What happens when I visit the URL in the email? If I open the attachment, what happens? These ML and AI approaches are good and getting better. When I think about INKY, I see pattern-matching taken to a new level: behavior.

Information security will always be a cat-and-mouse game between Good and Bad. What I like about INKY is that the methods it uses generalize to more use cases (what a file does vs. its checksum). Yes, bad actors can change their behavior as they construct phishing campaigns. But more generalized and behavior-based defenses will have an easier time detecting and blocking them. It is nice to see anti-phishing and anti-malware solutions evolve their toolsets.