Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management


Interview: Patrick Peterson, CEO & Founder of Agari

In this interview, we have with us Patrick Peterson. He's the CEO and Founder of Agari, a cloud-based solution providing visibility and controls to secure the email channel. Agari is the culmination of years of innovation, customer feedback and intense product development. Their cloud-based solution provide revolutionary visibility, response and protection from email threats attacking their customers and partners by stealing your email identity.


Prior to that, Patrick was with IronPort Systems and he was one that defined IronPort's email security appliances. He invented IronPort's sender base and serving as one of thirteen Cisco Fellows, he led a breakthrough in cybercrime research focused on "follow-the-money" investigations into spam, scareware spyware, web exploits and data theft. Patrick is one of the top experts in the world on email security. 

In the podcast, we discuss how Agari reached the point where it is protecting 85% of all email boxes in the world and what its plans are from there. Similarly, Patrick shares his thoughts on how visible security should be to the consumer and what is our responsibility as security professionals. Patrick shares some examples of where current email threats are coming from and what we is doing to counteract those measures. We also talk about where  the future of content-based malware in email is going.

The following is a brief excerpt of our interview:

Jeff Williams: I was stunned to read that you and Agari, today, you are protect something like 85% of all email boxes in the U.S.?

Patrick Peterson: That's correct. It's quite a surprising stat and when people ask me this, I often think to myself it's similar to standing in front of the Grand Canyon and wondering, "How did that little river down there, a mile down, do that?" To some extent, even though the company has only been around four years, it's been myself and a lot of other industry folks slowly eroding the evils that have been with us and with email that criminals have worked on.

All the way back to 2002, when there were a bunch of email geeks like myself realizing, "Boy, this email thing is not very well designed. Bad guys can send a bunch of email and the good guys receive it and if it's addressed to someone who doesn't work there, they bounce it back to the purported sender. If they make up your email address, you get a million bounces and your mail system goes down. We should fix that."

There was a huge bunch of work on the open standards, SPF and DKIM and Cisco and Yahoo! and the Internet Engineering Task Force, the IETF, spent years doing that and even though that really wasn't the prerequisite for solving the problem, it's a lot of those activities that have been eroding those barriers that Agari was fortunate enough to work with those leaders in the industry to actually make that kind of market penetration happen.

Hackers have better tools than you...

Jeff Williams: So all those standards, they sort of rolled up into DMARC today, is that correct?

Patrick Peterson: Exactly. We took the SPF and DKIM, which again, email geeks who happen to be listening to this call, "hi guys," will know about. Then Michael Barrett, who was the CSO of PayPal back in 2007, realized the PayPal brand is associated with phishing. It's not associated with any of the things we want it to, and it doesn't really matter how much we spend on marketing or branding or how many customers we attract, as long as the criminals can send an infinite number of messages that purport to be PayPal, they are going to win the brand war.

He was the one who really pioneered in 2007, the concept that became DMARC and after he built this prototype, we're the ones who really picked up the ball, first building it ourselves on top of his model and then teaming up with what became the DMARC, which is the new technical specification community. Which were the leaders like Yahoo! and Google, J.P. Morgan, LinkedIn, Facebook and so with them together, we really crafted that solution that became DMARC that has that kind of market penetration. If you look not at percentage but number of mailboxes, it's currently two and a half billion mailboxes globally, that Agari is protecting.

Jeff Williams: Just amazing. I remember back in the early '90s, Phil Zimmerman released PGP Mail and everyone was working on privacy enhanced mail. Then some folks were experimenting with using certificate authorities and digital certificates to secure email. I was convinced - I wrote some papers back then about privacy enhanced mail, and I was just sure that within a matter of years, everyone was going to be using digitally signed mail, of course and encrypted mail. Here it is 20 years later and only DOD, as far as I can figure, really uses encrypted and signed mail.

Patrick Peterson: Yes, correct. It's one of those universally good ideas that everyone agrees on and it turns out, getting a few billion end points to change the way they do business and inter-operate together at internet scale. Despite all the good ideas and good intentions in the world, is profoundly difficult. I think a lot of people have really kind of rejiggered their expectations on, "How long it's going to be until my mom can use those kinds of technologies and if she can't, how well can brands and enterprises really adopt them?"

Jeff Williams: So I'm fascinated about Agari. I mean, I don't think many people have heard about them. I didn't know a lot about Agari until I started preparing for this call, frankly. I'm just wondering, how did you get into this position, and I'm wondering about whether you think that that's the way security ought to be, as sort of invisible to most folks? You're protecting most of the email boxes, but it's not known.

Patrick Peterson: Yeah, great question, so two thoughts. I think one is, that is the way it should be. I mean, when I hop in my car, there's a seat belt, there's an airbag, there's crumple zones. I've heard about them because the car companies market them to me but the reality is, I don't really know how they work. I don't know how the airbags decide when to deploy and I shouldn't have to.

Similarly, perhaps my mom should be taking email security expertise courses and learning about what her financial institution is doing for application security but I think we can agree, no. She should be safe and people should provide those solutions and I think to think otherwise is a journey that we're not going to be able to do. She should, of course, be educated to know what practices she should have to keep herself safe, but that's not the case. That's one thing I would say.

The second thing I would say, and we've talked about this quite a bit, is Agari is really an example of a company who's playing the long game. Our whole solution is predicated on these 85% of mailboxes being protected. It turns out, that's an enormous undertaking that took years and we couldn't drive a lot of value until we have that. It's the typical network effect problem, "who buys the first telephone?"

I think something we're proud of is both being seamless to the consumer and also being an example of a strategic investment that really required a lot of the internet to come together but once you've made that investment, you can actually have a far more impactful durable solution than just the next shiny, bright widget that detects bad stuff.

Jeff Williams: Right, so the value really comes from everyone participating in the same solution?

Patrick Peterson: Exactly, somebody being able to leverage those two and a half billion mailboxes, 85% and then those mailboxes, the more brands who start protecting those consumers, they drive the value as well. Again, like a telephone network or a LinkedIn network or a PayPal payments network, once everyone's on it, it's pretty much a no-brainer but getting those first set of people to join, that's where the magic is.

To listen to the rest of my interview with Patrick, click here.

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.