City of San Jose is one of the 10 largest cities in the United States, responsible for the well-being of 8,000 employees and over 1 million residents.
The City’s employees were frequently being targeted by email attacks like Business Email Compromise (BEC), account takeover, impersonation, and other socially engineered attacks. These email scams were evading native Microsoft security controls and endangering City operations.
Rob Lloyd, CIO at City of San Jose, said, “One of the biggest problems that we ran into in 2019, was this very sophisticated attack that alarmed us in very serious ways. The attack seemed to know our patterns of communication, our rhythms and timing, who the right people were. We discovered it was called a business email compromise attack - in fact, we had thought it was some insider activity, because of how sophisticated it was.”
On the operational front, the City’s security team was spending a lot of time manually triaging and responding to user-reported emails. This resulted in longer response times and prevented the City from assigning resources to other pressing cybersecurity goals.
The City was looking for an email security solution that stopped targeted attacks, reduced repetitive work for their security team, and augmented what they already had with Office 365.
“In confronting the business email compromise problem, we were looking for a three-fold solution. Number one, we wanted a solution that we could manage with a very finite, limited team. Number two, we needed the solution to be very precise about responding to the problem that we saw. The last piece was to make sure that it was a manageable tool, in the sense there weren't a lot of false positives, and that the false positives reduced with time.”
Armorblox inbound email protection
Armorblox connects over APIs to Office 365 to provide highly effective protection against targeted email attacks like BEC, account takeover, and impersonation. By using Natural Language Understanding (NLU) and other detection algorithms, Armorblox stops advanced email attacks from endangering City employees and partners.
Emails are automatically classified under granular threat categories (e.g. payroll fraud, payment fraud, phish URL in mail body, email account compromise), eliminating the need for custom policy setup and upkeep. Armorblox also automatically remediates a vast majority of detected threats, based on remediation actions configured by the security team (delete, quarantine, lock user account).
Armorblox abuse mailbox automation
The City’s security team wanted the flexibility to triage user-reported emails themselves first, before forwarding suspicious emails to security solutions. While Armorblox can directly connect to a company’s phishing mailbox to analyze emails, the platform could also be deployed in the way the City preferred.
Armorblox automatically investigates and remediates user-reported emails forwarded to the platform. Remediation actions are automatically applied across affected user mailboxes, even if only one user reported the email. Automating away the “repetitive but necessary” parts of phishing response has saved valuable time for the City’s security team.
Armorblox has helped the City meet its email security goals while also positively impacting its people and processes.
Improved protection against targeted email attacks
Armorblox provides highly effective protection against socially engineered email attacks targeted at the City’s employees. The vast majority of targeted email attacks are now automatically remediated (delete, quarantine) by leveraging Office 365 APIs, keeping the City’s employees safe without negatively affecting email availability.
User reported email threats have reduced by 85% since Armorblox deployment due to improved inbound threat detection.
Faster response times for user-reported email threats
Armorblox has simplified and automated large portions of the phishing response process at the City. The platform is easy to use and provides quick time to value for the security team without interrupting their daily work. Reported emails are analyzed by Armorblox and automatically remediated across user mailboxes if they flag existing detection categories.
Rich threat insights are provided for every email, helping the security team make quick and informed decisions whenever an email threat requires manual review. Moreover, Armorblox creates dynamic policies for threats that are manually remediated. These policies ensure that identical and similar threats are automatically remediated in the future, freeing up the security team’s time to tackle other key cybersecurity goals.
Armorblox has reduced triage and remediation times for user-reported phishing emails by over 90%.
“The biggest benefits of Armorblox to the City of San Jose are the confidence we get that it's working and preventing a lot of risk from hitting our organization, and the ease of management. The fact that we can cover 7,000+ employees, 10,000+ accounts, use AI in a very fruitful and productive way to manage risk without over inundating our security operations center and cybersecurity staff, are powerful validators of the value Armorblox provides.”