Armorblox Secures Your Cloud Office With Box And Slack Integrations

Abhishek Iyer
Written by Abhishek Iyer
Product Features /
Armorblox Secures Your Cloud Office With Box And Slack Integrations

We have exciting news to share! Today, Armorblox announced integrations for Box and Slack, a critical step in our journey to protect people and data across cloud office applications. The nameless category* we created in 2017 by introducing language as a signal for threat detection and analysis has reached a watershed moment today as Armorblox moves beyond just inbound and outbound email protection. This blog will chart the path Armorblox took to get here today and highlight the capabilities of our Box and Slack integrations.

*The category has a name now: cloud office security.

How We Got Here

Armorblox was founded in 2017 to solve a clear security problem: adding a context layer to security to break out of the metadata trap that so many security controls had fallen into. We wanted to expand the notion of ‘user identity’ to include behavior and - most importantly - language signals that could reason with textual data in a meaningful way. As security products grew in sophistication to protect every other security layer, it was clear to us that the human layer remained the most vulnerable and least secured part of the organization. Adversaries were bypassing traditional security controls by sending targeted, socially engineered emails that stole money and data by ‘just asking for it’ in a persuasive, seemingly legitimate manner.

With the world’s first natural language understanding (NLU) engine for cybersecurity, Armorblox analyzes identity, behavior, and language on all email communications to stop targeted attacks such as payroll fraud, vendor fraud, and VIP/employee impersonation. By connecting to email providers over APIs without any MX modification or email rerouting, Armorblox simplifies the email security stack and protects organizations across Office 365, G Suite, or Exchange. Since launching out of stealth in February 2019, we have been thrilled and grateful to see Armorblox gain the trust of our customers, end users, and industry analysts alike.


Fig: Armorblox for email security

Although email security was the first Armorblox foray into cybersecurity, our NLU engine was always built to be leveraged across cloud applications that people used on a daily basis - applications such as messaging and file-sharing.

Securing the Cloud Office

Through our conversations with CIOs and CISOs, we found that between 70-90% of all enterprise data is textual in nature. Two causes for concern reign supreme here:

  1. Humans don’t communicate in silos. Although email remains the true system of record, this textual data often spreads beyond email to applications such as messaging and file-sharing.
  2. Enterprise security fails to understand and analyze this textual data, usually reducing the data into an SHA-256 or an MD5 signature. Signature-based detection is binary by nature and divorces data from its context.

With the Box and Slack integrations, Armorblox is firmly placed to secure all enterprise communications from targeted attacks and data loss. By analyzing thousands of signals across cloud applications, the Armorblox NLU engine has universal context over sensitive/confidential data, user behavior such as login and access patterns, and the nature of external/internal interactions. Our latest product release introduces:

  • A Slack integration that stops malicious URLs and sensitive PII/PCI data from being shared over Slack messages.
  • A Box integration that stops malicious URLs and sensitive PII/PCI data from being stored in or shared over Box files.

and much more!


Fig: Armorblox for Cloud Office Security

Protective eyewear at the ready? Let’s look into the light of Armorblox’s product release:

The Hidden World of Noncompliant Slack Messages

The widespread adoption of Slack has caused gaps in data visibility and security. Whether accidentally or maliciously, employees share sensitive PII/PCI information over Slack messages with noncompliant recipients. Shared Slack channels between organizations create a wormhole through perimeter defenses, further heightening the possibility of data loss. With these lapses being stringently penalized under regulations such as GDPR and CCPA, compliance across messaging platforms is not optional anymore.

Armorblox analyzes all Slack messages to build baselines around identity, behavior, and language for every organization. The platform detects any instance of PII/PCI information - such as bank account numbers, SSNs, and unencrypted passwords - being shared on Slack. Security teams can set predefined actions that block sensitive data from being shared with unauthorized parties over Slack. These actions can be stacked and customized according to group membership and user roles. Learn more about customizable response actions here.


Fig: Armorblox DLP violation for Slack

Armorblox also stops malicious URLs from being shared over Slack, preventing attackers from compromising an employee’s Slack credentials and weaponizing their Slack account to conduct further attacks. Security teams can set predefined response actions to automatically delete malicious URLs detected over Slack.

To learn more about the Armorblox integration with Slack, view our Slack solution brief here.

The Challenges In Securing Cloud-Hosted Files

Applications like Box have done wonders for organizational productivity, enabling employees to collaborate and share data with ease. Unfortunately, the easier it is to share data, the easier it gets to share sensitive data with unauthorized recipients. Whether accidentally or maliciously, employees can share sensitive PII/PCI information over cloud-hosted documents with noncompliant recipients.

If an employee’s Box credentials are compromised, adversaries can exploit the high reputation of the Box domain to launch follow-on targeted attacks. Adversaries host malicious URLs or malware on enterprise Box accounts to attack high-value targets such as customers and third-party vendors. In case these are zero-day attacks, the payload can reach thousands of targets before someone reports it and gets it taken down.

Armorblox analyzes all unstructured Box files to build baselines around identity, behavior, and language for every organization. This enables the platform to detect zero-day links and sensitive PII/PCI information hosted on or shared over Box files. Security teams can set predefined actions that automatically revoke access or delete malicious/sensitive Box files.


Fig: Armorblox DLP violation for Box

To learn more about the Armorblox integration with Box, view our Box solution brief here.

Addressing Lateral Data Loss

The disparate and siloed nature of DLP solutions has made it tougher for security teams to gain visibility over sensitive data, whether at rest or in transit. Since there’s no universal context identifying data as sensitive across applications, an employee can easily download sensitive data from Slack or Box and share it with noncompliant recipients over email. Products such as Box Shield help prevent leaks and downloads of files that are classified in Box, but security practitioners need to augment its capabilities to further prevent the lateral loss of sensitive data across Box and other cloud office applications.

By connecting with email, Slack, and Box over APIs, Armorblox builds contextual baselines that run across applications. Based on preconfigured policies and user-defined inputs, the Armorblox platform has a universal understanding of what constitutes sensitive and confidential data as well as the recipients who are allowed to access that data. This cross-application context enables Armorblox to detect data loss both within and across email, Slack, and Box.


Fig: Armorblox prevents data loss across cloud office applications

Ongoing Email Security Improvements

Our team continues to make additions to the NLU engine that improves detection and classification for targeted email attacks. We have increased the number, sophistication, and types of signals to analyze for two unique attack types, namely extortion and vendor/brand impersonation.

We continue to train both the global and per-organization Armorblox ML models on a large corpus of relevant signals and email attacks. Detections for extortion and brand/vendor impersonation attacks will now be accompanied by analysis that explains why Armorblox thinks the emails are dangerous, what vendor/brand is being impersonated, and what text within the email alerted our language models.

We hope you’re as excited to get your hands on our Box and Slack integrations as we were while building them! To see cloud office security in action, schedule a demo of Armorblox today. Stay tuned for more product updates and deep-dives in the weeks to come.

Schedule Armorblox Demo

Read This Next