You’ve been introduced to cloud office security and agree that it’s needed today. Before we move onto cloud office security capabilities, however, there’s one important question to address - why are current security measures not enough?
Cybersecurity has overengineered complex solutions to simple problems in the past, so it’s worth highlighting the gaps in current security controls to truly underscore why cloud office security applications are purpose-built to solve the human layer challenge.
Metadata-based detection is limited
Since BEC attacks are more sniper than sledgehammer in their technique, metadata and binary rules are not enough to flag these emails. Heavy-handed protection techniques that are solely based on identity or metadata either lead to a flood of false positives or let finely crafted BEC attacks escape their grasp.
Email authentication checks are limited
Email authentication checks like SPF, DKIM, and DMARC definitely have their uses. In fact, they often provide important signals for email attack analysis. But authentication checks like DMARC require widespread adoption to be truly effective. Moreover, if email attacks are sent from reputed domains like Gmail or Yahoo, they seamlessly pass all authentication checks and the burden of detection is placed on busy end users instead.
Fig: Targeted email attacks get past authentication checks and metadata-based detection
Cumbersome (and duplicative) email security stack
Native email security controls such as Exchange Online Protection and Advanced Threat Protection have taken great strides in protecting users against spam, known malware, and mass phishing campaigns. Unfortunately, enterprises now end up double-paying for many of these capabilities while investing in a Secure Email Gateway (SEG).
A SEG sitting in front of native cloud email security not only duplicates protection capabilities, but it also reduces the effectiveness of native connection filtering and detection features. Some SEG vendors actually recommend disabling EOP features to realize full value from their solutions.
Fig: A comparative look at the email security capabilities of native controls, SEGs, and cloud office security applications
Siloed data loss prevention solutions
Protecting unauthorized access to sensitive data in the cloud is not a new thing. Data Loss Prevention (DLP) solutions have introduced and iterated on granular rules that govern access to data and applications. However, these controls are usually restricted to specific environments and don’t protect against lateral movement of sensitive data across applications. For instance, Box Shield might prevent data loss on Box, but it won’t stop someone from downloading a confidential Box file and sending it to external parties over email.
It’s also important to note that investing in integrated DLP solutions for every cloud application will strain even the most healthy security budget. This is especially true in a SaaS-first world where a few dollars per user per month can quickly add up across applications and result in an unwieldy security spend.
The precision-recall conundrum with confidential content protection
There are two major approaches that DLP tools take to protect confidential information today: a keyword-based approach or a signature-based approach. Both approaches have their own struggles. Here’s an example that studies the merits and fallbacks of both approaches. Let’s say some members of your organization are working on a skunkworks project called ‘Operation Schrute Farms’ and have compiled all the confidential information about the project in a collection of documents and spreadsheets.
In a keyword-based protection approach, you will enter ‘Operation Schrute Farms’ as a keyword in your DLP products. Anytime an email, document, or spreadsheet goes out with the keyword ‘Operation Schrute Farms’, a DLP violation will be triggered. This approach has good recall i.e. it will catch any instance of confidential data about ‘Operation Schrute Farms’ being sent out to unauthorized recipients. On the flipside, a keyword-based approach has poor precision i.e. it will also generate a lot of noise by flagging innocuous mentions of the keyword. If you send an email to a colleague about an upcoming meeting about ‘Operation Schrute Farms’, that email will be flagged as well. A keyword-based approach results in security teams getting buried under a mountain of false positives, lacking the time or energy to properly investigate and remediate genuine DLP violations that get flagged.
In a signature-based protection approach, you take signatures (hashes) of every confidential document and spreadsheet about ‘Operation Schrute Farms’ and enter them into your DLP products. This approach has good precision i.e. you can be sure that whenever a confidential document or spreadsheet about ‘Operation Schrute Farms’ is shared with unauthorized recipients, it will get flagged as a violation. On the other hand, a signature-based approach has poor recall i.e. if you open a confidential document, change a few sentences, and save it again, the hash changes and this protection approach is rendered moot.
“When organizations have to choose between a keyword-based DLP approach that has high recall but poor precision, or a signature-based DLP approach that has high precision but poor recall, the choice ends up hinging on minimizing the downsides rather than leveraging the upsides of each approach.”
No unified context and learning
Since security products (both inbound threat protection and outbound DLP) are largely application-specific today, organizations lack a universal layer of context. This context might include what constitutes sensitive/confidential data, user behavior including login and access patterns, and the nature of external/internal interactions.
At the outset of this guide, we mentioned that people are at the center of the most attacked and least protected security layer. Since people communicate across email, messaging, and file-sharing applications, it’s vital for security controls to capture behavioral baselines that span these environments as well as learn from them.