Even in a world dominated by cross-channel communication, email remains the true system of business record. The shift towards cloud-delivered email and productivity suites like Google Workspace has enabled organizations to move away from on-premise email servers and eliminate the burden of capex investments. However, traditional security measures within cloud-delivered email and Secure Email Gateways (SEG) fall short of protecting against entire categories of targeted email attacks and data loss.
Email attacks today are laser focused and evade traditional detection by targeting human nature. Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending socially engineered emails. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss. Over $1.86 billion has been lost to business email compromise (BEC) and email account compromise (EAC) attacks in 2020 alone, according to the FBI.
On the outbound front, the sprawl of communication applications has paved the way for direct and lateral data loss. Employees share sensitive information (PII, PCI, passwords) with noncompliant recipients, either within or across communication channels. Since the security solutions analyzing each environment are siloed, organizations lack a unified layer of context to protect their communications.
Armorblox for Google Workspace
Armorblox secures enterprise communications over email and other cloud office applications with the power of natural language understanding (NLU). The platform connects with Google Workspace over APIs to analyze thousands of signals across identity, behavior, and language. Organizations can use pre-configured Armorblox policies to stop targeted email attacks, protect against the loss of sensitive PII and PCI, and automate remediation of user-reported email threats.
Fig: A visual overview of how Armorblox stops targeted attacks and data loss on Google Workspace
- Stop targeted attacks such as business email compromise, vendor invoice fraud, executive impersonation, and credential phishing.
- Connect Armorblox with your enterprise phishing/abuse mailbox for centralized detection and automated remediation.
- Auto-remediate false positives to focus on threats that need human review.
- Remove similar suspicious emails across user mailboxes with one click.
- Detect accidental or malicious data loss over emails such as SSNs, bank account details, and account passwords.
- Study detailed email-specific analysis that draws insights from identity, behavior, and language signals.
- Leverage preconfigured policy actions to automatically delete or quarantine suspicious emails, warn users of noncompliant actions, and block sensitive data from being accessed by noncompliant recipients.
- Send Armorblox detected email incidents to downstream SIEM and SOAR solutions over APIs.
Use Case 1: Stop Business Email Compromise
Business email compromise (BEC) attacks are laser focused and get past traditional detection by targeting human nature. These emails usually forego malicious links and attachments, instead opting for manipulating the target through impersonation tactics and social engineering. Traditional Google Workspace security controls and SEGs lack the context to catch these payloadless attacks.
Armorblox augments native Google Workspace email security capabilities to provide the widest non-overlapping breadth of attack protection. Armorblox analyzes all emails to build baselines around identity, behavior, and language for every organization. The platform detects a broad spectrum of BEC attacks and classifies them into granular attack categories. Security teams can set predefined actions that automatically delete or quarantine malicious emails, and warn end users of potentially suspicious emails.
Fig: Armorblox detection highlights for a payroll fraud attack
Armorblox stops hitherto undetected business email compromise attacks, helping organizations avoid financial loss and reputational damage. Accurate classification and detection highlights within each email threat provides security teams with relevant context for investigation. Automated and customizable remediation actions (deleting, quarantining, revoking access) help security teams assign response steps according to the severity of the violation, safeguarding people and data without sacrificing organizational productivity.
Use Case 2: Prevent Sensitive PII/PCI Disclosures Over Email
The rapid-fire and distributed nature of email often brings data protection and compliance into question. With the aim of speeding up business processes, employees accidentally share sensitive information such as SSNs, bank account details, and passport numbers over email. With stringent fines being imposed for accidental data loss under GDPR and CCPA, compliance is not optional any more.
The Armorblox platform detects any instance of sensitive information (PII, PCI, passwords) being shared on email. Language-based models improve the accuracy of data loss detection compared to signature and keyword based approaches since Armorblox is able to detect sensitive data within an email’s context (e.g. being able to differentiate between SSNs and Zoom meeting IDs). Security teams can set predefined actions that warn users of noncompliant actions and block sensitive data from being shared with unauthorized parties.
Fig: PII/PCI data loss over email detected by Armorblox
Armorblox helps security teams gain control over the hitherto distributed nature of sensitive data residing in email. Detecting every disclosure of sensitive PII/PCI data enables security leaders to accurately measure risk exposure. Customizable actions (warning, blocking) help security teams assign response steps according to the severity of the violation, safeguarding people and data without sacrificing organizational productivity.
Use Case 3: Automate Abuse Mailbox Remediation
Large organizations are subject to daily attack campaigns across users, resulting in abuse mailboxes bursting at the seams. Phishing awareness training has helped but sometimes overcorrects the problem, with employees now forwarding safe emails to abuse mailboxes en masse. Security teams struggle with this high email volume, wasting time on false positives and lacking both the context and time to investigate targeted attacks.
Armoblox can be connected to your enterprise phishing/abuse mailbox for automated remediation of known threats and simplified investigation of unknown threats. Every reported email is analyzed by the Armorblox detection engine, with remediation actions being applied across affected user mailboxes. Manual actions by the security team (eg. mark safe, delete) are also applied across affected user mailboxes. Armorblox ML models learn from every manual action, creating dynamic policies that protect against similar future threats.
Fig: Automated or one-click remediation across affected user mailboxes for emails forwarded to abuse mailbox
Armorblox helps security teams avoid the alert fatigue that usually comes from instituting phishing reporting mailboxes. Predefined and automated response actions ensure compliance while also minimizing manual, repetitive work. Customizable actions (marking safe, deleting, quarantining) help security teams assign response steps according to the severity of the violation, safeguarding people and data without sacrificing organizational productivity.