We live in a world dominated by remote work, cloud adoption, and digital workflows. This evolution in the way we live and work has resulted in improved organizational agility and a happier (not to mention more efficient) workforce. We send important communications over email, collaborate on Slack, store files in Box, and are able to complete business-critical processes much faster than ever before. However, chinks in this cloud-first armor have begun to appear.

While security technologies have focused on protecting every imaginable layer within cloud security, the most targeted layer is also the most overlooked - the human layer. Humans sit at the center of this collaboration sprawl, talking and writing and performing critical actions that keep businesses running. While all of this context lies unanalyzed, targeted attacks and data loss rear their heads.

Email attacks today are laser focused and evade traditional detection by targeting human nature. Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending socially engineered emails. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss. Over $26 billion has been lost to business email compromise (BEC) attacks over the last three years according to the FBI.

Even after deploying a bevy of DLP tools, both direct and lateral data loss are prevalent across organizations today. The desire for speed and productivity usually comes at the expense of data privacy and compliance. Whether inadvertently or maliciously, employees share PII, PCI, passwords, and confidential data - either with outside parties or laterally across email, messaging, and file-sharing services.

“Over $26 billion has been lost to business email compromise (BEC) attacks over the last three years according to the FBI.”

A new layer of security controls has emerged to protect the human layer across office applications. Enough stage-setting, let’s introduce cloud office security.

Let’s start off simple:

Cloud office security refers to processes and technologies that protect people and data across any channel used for communication and collaboration. These channels include but are not limited to email, messaging, file-sharing, and video communications.

Fig: A visual overview of cloud office security

If we study this definition closely, three terms stand out:

Processes and technologies

Cybersecurity often tends to revert to a silver bullet mentality, but this should tell you that there’s no all-healing panacea for cloud office security. Similar to DevSecOps or Zero Trust, adopting cloud office security requires more than just implementing the relevant technology. It requires strategizing and deploying organizational practices that protect your business workers from losing money or data to socially engineered attacks.

It requires embracing API-first implementation of security controls that are best suited to safeguarding a distributed workforce using distributed cloud apps. It requires democratizing threat triage across employees, enabling workers to mark threats as safe or suspicious to increase alert relevance and reduce alert fatigue for your security team. It also requires empowering end users to classify confidential data and institute universal security controls that recognize the confidentiality of that data across channels.

Simply put, cloud office security is a journey requiring organizational flexibility and organizational discipline in equal measure.

Protect people and data

Traditionally, security products that detect and respond to inbound threats (like phishing and BEC attacks) lie separate from security products that prevent outbound data loss. But if we put people at the center of this security equation, it’s necessary for security controls to tackle both the inbound and outbound halves of this coin.

On the inbound front, cloud office security technologies protect against the entire spectrum of targeted attacks including BEC, account takeover, and impersonation. Cloud office security solutions are built to augment the traditional security controls that your email provider might already have (eg. Exchange Online Protection and Advanced Threat Protection for Office 365 or the Advanced Protection Program for G Suite).

On the outbound front, cloud office security technologies prevent the loss of sensitive and confidential data both within and across cloud application channels. Cloud office security solutions are built to augment and improve upon traditional DLP rules through contextual understanding of data and the people sharing that data.

Across any channel

We’ve left the most pertinent point for last. Cloud office security technologies are purpose-built to work across channels including email, messaging, file-sharing, and other cloud application channels.

“Cloud office security refers to processes and technologies that protect people and data across any channel used for communication and collaboration. These channels include but are not limited to email, messaging, file-sharing, and video communications.”

The cross-channel nature of cloud office security is necessary because the elements they’re protecting - people and data - don’t reside on any one channel today. Analyzing signals across channels lends cloud office security technologies universal context of enterprise communications. This context is vital in addressing concerns where siloed security solutions fall short (eg. an employee downloading a sensitive document from Slack and sharing it with an outside contractor over email).

Now that we’ve defined cloud office security, you’re probably wondering how it all fits in with other layers of cloud security. Protecting cloud environments is certainly not a new development, so how is cloud office security different?

Cloud security

constitutes many layers, each with its own set of technologies and controls that protect the integrity of virtualized IP, data, applications, and infrastructure. Cloud office security protects the human (or contextual) layer that sits atop all other cloud security layers.

• Cloud Infrastructure Security:

  Products that detect anomalies, stop vulnerabilities, and ensure continuous security on the cloud infrastructure layer.

• Hypervisor/Container Security:

  Products that detect anomalies, stop vulnerabilities, and ensure continuous security on the hypervisor/container layers.

• Cloud Application Security:

  Products that detect anomalies, enforce compliance, and prevent the loss of structured sensitive data on cloud applications.

• Cloud Office Security:

  Products that protect people and data through a shared understanding of organizational context across cloud office applications.

Let’s take an example of a security attack to broadly define the roles of different cloud security layers. Adversaries get hold of an employee’s Box login credentials through a zero-day credential phishing email. Upon infiltrating the employee’s Box account, the adversaries host the same zero-day URL on a Box file and share it with other employees and customers for follow-on compromise. The adversaries also find a sensitive Box file that lists the AWS account credentials of a few engineering team members. After gaining access to AWS, the attackers set up a cryptojacking environment by diverting some EC2 processing power.

Every cloud security layer does its part while detecting and responding to this multi-part attack, but the entire attack was possible because adversaries were able to phish an employee’s credentials and move laterally to their Box account. Cloud office security solutions are built to detect and respond to the attack entry point in this example.

While all the other cloud security layers undoubtedly have their merits, it’s usually a human being targeted (or making a mistake) that acts as the entry point for all the other security layers being negatively affected. Improving your cloud office security posture can lead to better ROI for the entire cloud security stack.

“Cloud security constitutes many layers, each with its own set of technologies and controls that protect the integrity of virtualized IP, data, applications, and infrastructure. Cloud office security protects the human (or contextual) layer that sits atop all other cloud security layers.”

So you’re clear on what cloud office security means and where it falls within the cloud security umbrella. The obvious next question is - so what? Why is cloud office security needed?

In some ways, decades-long technological trends have led us to this point where cloud office security should be a key part of every organization’s security stack.

Rapid (and unsecure) cloud adoption

Most business applications have moved to the cloud, and the ones that haven’t are in the process of being moved. The worldwide public cloud services market is forecast to grow 17% in 2020 to total $266.4 billion, up from $227.8 billion in 2019, according to Gartner, Inc. This is unquestionably a positive trend - cloud adoption improves organizational agility, minimizes the burden of capex investments, and results in a more efficient outlay of resources across the board. However, privileging speed of adoption often comes at the expense of securing these cloud environments and apps.

For instance, recent research from ESG found that 53% of cloud email users believed native email security to be insufficient. Among those organizations, only 23% chose to incorporate additional, third-party controls before migrating to cloud-delivered email. More than one in five (21%) assumed native controls would be sufficient, which proved not to be true, leaving most to add controls post migration.

Communication sprawl

Over the course of reading this guide, you will probably get five different-sounding notifications from your phone informing you of a Slack message, some emails, an upcoming Zoom meeting, and a Box file someone shared with you. Research from 2018 found that the average business used 1,181 cloud services and the vast majority of those services weren’t completely enterprise-ready.

This is the double-edged sword most organizations have to deal with. Employees access a sprawling ecosystem of third-party apps, resulting in productivity gains and efficient business processes. But this same sprawl has created a large threat surface where any cloud application - and the humans using the application - are potential entry points for targeted attacks as well as potential sources of data leakage.

“Research from 2018 found that the average business used 1,181 cloud services and the vast majority of those services weren’t completely enterprise-ready.”

Distributed workforce

If you’re reading this guide in 2020, you’re probably reading it from home. But even if we keep force majeure events aside, the nature of work has become increasingly distributed over the years. Research from Global Workplace Analytics found that the number of people working from home grew by 140% from 2007 to 2017. These numbers are sure to increase further now as the world navigates shelter-in-place policies and social distancing.

This rise in remote work will lead to happier, more productive employees. But it also means the security threat surface just exploded. Organizations that could earlier apply stringent perimeter security measures and protect workplace assets now have to deal with people and data spread across the globe.

Socially engineered attacks

While all the aforementioned trends - cloud adoption, cross-channel communication, and telecommuting - have gathered pace, security adversaries have unfortunately not been standing still. Spray-and-pray phishing attacks have given way to the surgical precision of social engineering.

Email attacks today are laser focused and evade traditional detection by targeting human nature. Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending emails that trigger authority, urgency, or fear in the targets’ minds. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss.

Fig: The rapid rise of business email compromise

BEC attacks are not just a singular entity either.

Multiple attack types exist within the BEC umbrella, each utilizing a different combination of techniques to get past traditional defenses. Some attack types include:

• Payroll diversion fraud:

  Targeted emails that fraudulently request a change in direct deposit information to steal from an employee.

• Email account compromise:

  Attackers take over a legitimate email account through credential phishing. Attackers then use that account for further compromising customers, third-party vendors, and internal employees.

• Vendor email compromise:

  A ‘long con’ business email compromise attack that exploits legitimate third-party email accounts to further compromise the vendor’s clients.

• Advanced credential phishing:

  Attackers send emails with malicious zero-day URLs, often masking the final credential phishing site behind multiple redirects and lookalike pages.

“Moving beyond mass-phishing and malicious payloads, attackers are now researching their targets before sending emails that trigger authority, urgency, or fear in the targets’ minds. Attackers impersonate trusted parties or take over legitimate email accounts to induce actions that cause financial and data loss.”

Compliance concerns

We live in a post GDPR and CCPA world where organizations are liable for mishandling of private or sensitive user information - and that’s undoubtedly a good thing. However, even unintentional data violations can result in fines if it’s determined that the offending organization did not provide reasonable data security measures to protect its customers’ personal information.

Keeping in mind the challenges already discussed above - the communication sprawl, a distributed workforce, and cloud apps galore - it becomes very difficult for organizations to avoid accidental data loss. With no one person or application really ‘knowing’ where all the sensitive and confidential information resides, data loss concerns are probably not a surprise.

You’ve been introduced to cloud office security and agree that it’s needed today. Before we move onto cloud office security capabilities, however, there’s one important question to address - why are current security measures not enough?

Cybersecurity has overengineered complex solutions to simple problems in the past, so it’s worth highlighting the gaps in current security controls to truly underscore why cloud office security applications are purpose-built to solve the human layer challenge.

Metadata-based detection is limited

Since BEC attacks are more sniper than sledgehammer in their technique, metadata and binary rules are not enough to flag these emails. Heavy-handed protection techniques that are solely based on identity or metadata either lead to a flood of false positives or let finely crafted BEC attacks escape their grasp.

Email authentication checks are limited

Email authentication checks like SPF, DKIM, and DMARC definitely have their uses. In fact, they often provide important signals for email attack analysis. But authentication checks like DMARC require widespread adoption to be truly effective. Moreover, if email attacks are sent from reputed domains like Gmail or Yahoo, they seamlessly pass all authentication checks and the burden of detection is placed on busy end users instead.

Fig: Targeted email attacks get past authentication checks and metadata-based detection

Cumbersome (and duplicative) email security stack

Native email security controls such as Exchange Online Protection and Advanced Threat Protection have taken great strides in protecting users against spam, known malware, and mass phishing campaigns. Unfortunately, enterprises now end up double-paying for many of these capabilities while investing in a Secure Email Gateway (SEG).

A SEG sitting in front of native cloud email security not only duplicates protection capabilities, but it also reduces the effectiveness of native connection filtering and detection features. Some SEG vendors actually recommend disabling EOP features to realize full value from their solutions.

Fig: A comparative look at the email security capabilities of native controls, SEGs, and cloud office security applications

Siloed data loss prevention solutions

Protecting unauthorized access to sensitive data in the cloud is not a new thing. Data Loss Prevention (DLP) solutions have introduced and iterated on granular rules that govern access to data and applications. However, these controls are usually restricted to specific environments and don’t protect against lateral movement of sensitive data across applications. For instance, Box Shield might prevent data loss on Box, but it won’t stop someone from downloading a confidential Box file and sending it to external parties over email.

It’s also important to note that investing in integrated DLP solutions for every cloud application will strain even the most healthy security budget. This is especially true in a SaaS-first world where a few dollars per user per month can quickly add up across applications and result in an unwieldy security spend.

The precision-recall conundrum with confidential content protection

There are two major approaches that DLP tools take to protect confidential information today: a keyword-based approach or a signature-based approach. Both approaches have their own struggles. Here’s an example that studies the merits and fallbacks of both approaches. Let’s say some members of your organization are working on a skunkworks project called ‘Operation Schrute Farms’ and have compiled all the confidential information about the project in a collection of documents and spreadsheets.

In a keyword-based protection approach, you will enter ‘Operation Schrute Farms’ as a keyword in your DLP products. Anytime an email, document, or spreadsheet goes out with the keyword ‘Operation Schrute Farms’, a DLP violation will be triggered. This approach has good recall i.e. it will catch any instance of confidential data about ‘Operation Schrute Farms’ being sent out to unauthorized recipients. On the flipside, a keyword-based approach has poor precision i.e. it will also generate a lot of noise by flagging innocuous mentions of the keyword. If you send an email to a colleague about an upcoming meeting about ‘Operation Schrute Farms’, that email will be flagged as well. A keyword-based approach results in security teams getting buried under a mountain of false positives, lacking the time or energy to properly investigate and remediate genuine DLP violations that get flagged.

In a signature-based protection approach, you take signatures (hashes) of every confidential document and spreadsheet about ‘Operation Schrute Farms’ and enter them into your DLP products. This approach has good precision i.e. you can be sure that whenever a confidential document or spreadsheet about ‘Operation Schrute Farms’ is shared with unauthorized recipients, it will get flagged as a violation. On the other hand, a signature-based approach has poor recall i.e. if you open a confidential document, change a few sentences, and save it again, the hash changes and this protection approach is rendered moot.

“When organizations have to choose between a keyword-based DLP approach that has high recall but poor precision, or a signature-based DLP approach that has high precision but poor recall, the choice ends up hinging on minimizing the downsides rather than leveraging the upsides of each approach.”

No unified context and learning

Since security products (both inbound threat protection and outbound DLP) are largely application-specific today, organizations lack a universal layer of context. This context might include what constitutes sensitive/confidential data, user behavior including login and access patterns, and the nature of external/internal interactions.

At the outset of this guide, we mentioned that people are at the center of the most attacked and least protected security layer. Since people communicate across email, messaging, and file-sharing applications, it’s vital for security controls to capture behavioral baselines that span these environments as well as learn from them.

Implementing cloud office security within an organization is usually not a simple “I don’t have it” to “Okay, now I have it” process. When evaluating cloud office security technologies, organizations need to evaluate the breadth and depth of capabilities, method of deployment, and flexibility to fit into (and improve) existing security controls. In this section, let’s take a look at all the moving parts within cloud office security to (hopefully) make wise technology choices.

Inbound email protection

Inbound email protection is the proverbial bread and butter of cloud office security technologies. Your chosen solution should protect against the entire spectrum of socially engineered email attacks while not heavily duplicating existing features present in your cloud email provider or SEG (if you use a SEG).

Here is a feature checklist for inbound email protection:

BEC protection: Specific protection against business email compromise attacks such as payment fraud, payroll fraud, and vendor fraud.

Impersonation protection: Specific protection against impersonation attacks on VIPs and other key internal staff.

Account takeover protection: Detection capabilities focused on spotting email account compromise attacks.

Internal mail protection: Scanning of internal emails to prevent lateral movement of attacks.

URL scanning: Scanning URLs with threat feeds and tracing down all redirections down to the URL’s final destination.

Time-of-click protection (URL rewriting): Modifying URLs so that they can be checked at time of click.

Attachment AV scanning: Email attachments are scanned for known and unknown malware.

Authentication checks: Performing DMARC, DKIM, and SPF authentication on email domains.

Pre-defined attack categorization: Accurate classification of threats under specific categories (eg. payroll fraud, payment fraud, social engineering).

Outbound email protection

Stopping advanced threats from reaching inboxes goes hand in hand with preventing sensitive data from leaving inboxes. Your chosen cloud office security technology should prevent sensitive data (PII, PCI, passwords) as well as user-marked confidential data from being accessed by noncompliant recipients.

Here is a feature checklist for outbound email protection:

Data leakage prevention: Block emails or send alerts based on sensitive data within the email content or attachments.

Accidental data loss: Specific techniques to prevent accidental data loss based on the content and/or nature of the communication relationship.

Automated classification of sensitive information: Includes specific compliance rules for identifying sensitive data loss (eg. PII, PCI, passwords).

Cross-channel protection: Protection against sensitive data shared across channels (eg. downloaded from Box, shared over email).

Confidential content protection: Preventing confidential content from being accessed by noncompliant recipients.

Client side add-in: A add-in compatible with email clients that allows users to mark confidential content, provides warnings for misaddressed emails, etc.

Messaging and file-sharing protection

A core facet of cloud office security technologies is the ability to protect communications across cloud channels. Your chosen solution should protect against malicious URLs, direct data loss, and lateral data loss across messaging and file-sharing services in addition to email.

Here is a feature checklist for messaging and file-sharing protection:

Data leakage prevention: Block messages/files or send alerts based on sensitive data within the message/file.

Accidental data loss: Specific techniques to prevent accidental data loss based on the content and/or nature of the communication relationship.

Automated classification of sensitive information: Includes specific compliance rules for identifying sensitive data loss (eg. PII, PCI, passwords).

Cross-channel protection: Protection against sensitive data shared across channels (eg. downloaded from Box, shared over email).

Confidential content protection: Preventing confidential content from being accessed by noncompliant recipients.

Time-of-click protection (URL rewriting): Modifying URLs so that they can be checked at time of click.

Attachment AV scanning: Messages/files are scanned for known and unknown malware.

Client side app integration: An in-app experience on messaging and file-sharing tools that allows users to mark confidential content, provides warnings, etc.

Detection capabilities

Due to the socially engineered nature of today’s attacks as well as the contextual nature of data traveling across cloud apps, cloud office security technologies should possess a breadth and depth of detection capabilities. Importantly, your chosen solution should not focus too heavily on any one technique, since such binary techniques can be bypassed by motivated attackers or edge cases of data loss.

Here is a feature checklist for cloud office security detection capabilities:

Identity-based detection: Analyzing signals based on user identity eg. name, designation, role and hierarchy.

Behavior-based detection: Analyzing signals based on user behavior eg. communication patterns, clients and devices used, common login and IP locations.

Language-based detection: Analyzing signals based on language eg. sentiment and tone, topics discussed, writing styles.

Image analysis: Detecting fake login screens and attachments using image analysis techniques.

ML model per organization: A custom ML model is built for every organization for increased relevance of detections.

Continuously trained ML models: Models are trained across organizations, per organization, and per employee.

Remediation capabilities

Even best-in-class detection won’t be of much use if your security team is drowning in a flood of alerts without any remediation measures in place. Your chosen cloud office security solution should automatically remediate all known threats, give security teams visibility into threat analysis, and enable admins to configure customizable remediation whenever required.

Here is a feature checklist for cloud office security remediation capabilities:

End user feedback: Warning banners and inline messages to increase user awareness and empower them to perform triage tasks (mark safe, mark suspicious).

End user quarantine: End users have individual quarantine folders where they can manage and release emails.

Automated and bulk remediation: Detected threats can be automatically deleted, quarantined, or marked as safe based on predetermined remediation actions. Automated email actions can be applied across user mailboxes.

Customizable remediation actions: Threat remediation allows for customization according to threat category, user roles, group membership, and exceptions.

Abuse Mailbox Automation: Emails forwarded to the company abuse/phishing mailbox are automatically investigated and remediated across user mailboxes.

Federated classification: Models are trained automatically based on both feedback from end users as well as security teams (marking threats as safe/suspicious, forwarding threats to the abuse mailbox, etc.).

Dynamic policy creation: New threat policies are automatically created based on manual actions taken by security teams (marked as safe, deleted) to dynamically protect against similar future threats.

Deployment

However powerful a product looks during a demo, the real proof is in the pudding of deployment and ongoing operations. Your chosen cloud office security solution should be an API-based cloud-native offering that is still flexible enough to support a variety of infrastructural environments.

Here is a feature checklist for cloud office security deployment capabilities:

Cloud platform: The solution is available as a cloud service.

API-first architecture: The solution connects with email, messaging, and file-sharing providers over APIs.

Autoscaling: The platform is built to autoscale up or down dynamically based on data and resource load.

Multitenant support: The solution supports multitenant deployments.

Hybrid model support: The solution supports hybrid deployments (eg. AD on Office 365 but using Exchange on-premise).

Enterprise grade capabilities

Given that cloud office security solutions are meant for enterprise security teams, a few basic prerequisites must be met. Enterprise grade capabilities should enable organizations to stay compliant, have complete visibility into user activity, and prevent compromise of the cloud office security solution itself.

Here is a feature checklist for cloud office security enterprise grade capabilities:

Audit logs: Providing detailed audit logs to track user activity.

Role based access control: Providing different roles that govern data visibility and level of access to product capabilities.

Third-party accreditation: Accreditation of enterprise readiness such as SOC 2 compliance, ISO 27001, and so on.

MFA support: Access to the solution is protected through multi-factor authentication.

Mobile app support: The solution has a mobile application that provides alerts to the security team, warnings to end users, etc.

Armorblox is a cloud office security platform that protects enterprise communications across email, messaging, and file-sharing services using natural language understanding. The platform connects over APIs to analyze thousands of signals across identity, behavior, and language. Organizations use pre-configured Armorblox policies to stop targeted attacks, automate abuse mailbox remediation, and prevent outbound and lateral data loss.

In May 2020, Gartner identified Armorblox as a Cool Vendor in Cloud Office Security. Here are what we believe to be the highlights of our unique approach to protecting enterprise communications:

Multi-channel inbound and outbound protection

Armorblox connects with email, messaging, and file-sharing services over APIs to secure communications across cloud office channels. The platform supports Office 365, G Suite, Exchange, Slack, and Box today, with the capability to connect to other data sources with time. This cross-connectivity lends Armorblox a contextual understanding of the enterprise and its employees, enabling the platform to detect threats and stop data loss where siloed technologies fall short.

Broad spectrum of detection signals

Just like no single element in an email is deterministic enough to mark it a ‘good’ or ‘bad’ email, no one detection technique is the panacea for email security woes. Armorblox leverages natural language understanding, deep learning, traditional machine learning, and detection techniques to analyze thousands of signals across identity, behavior, and language. If legacy email protection controls are padlocks, think of Armorblox as a fingerprint scanner.

Fig: Armorblox analyzes identity, behavior, and language across enterprise communications

Granular attack categories

While all the buzz around BEC is definitely warranted, it can lead to an oversimplification of the many attack categories that constitute BEC. Armorblox has predefined and automatically updated detection categories that bucket emails into specific attack types such as payroll fraud, payment fraud, impersonation, and credential phishing.

“Just like no single element in an email is deterministic enough to mark it a ‘good’ or ‘bad’ email, no one detection technique is the panacea for email security woes. Armorblox leverages natural language understanding, deep learning, traditional machine learning, and detection techniques to analyze thousands of signals across identity, behavior, and language.”

Automated (but flexible) remediation

Remediating email attacks is tricky, with security teams needing to walk the tightrope between safety and productivity. Security teams shouldn’t have to manually remediate the vast majority of their email alerts, but they should still have the option of defining custom remediation actions when required. Armorblox provides user-defined remediation options for every attack category, enabling security teams to respond to email alerts with minimal manual effort while upholding organizational productivity. These actions, once set for an attack category, are automatically applied to every email that gets classified under that attack category.

Fig: Customizable threat remediation actions in Armorblox

Continuous global and local learning

We can already see you rolling your eyes at ‘machine learning’, but hear us out. To protect against targeted email attacks, relying solely on global machine learning models that are trained on cross-organizational data isn’t enough. Armorblox has three distinct machine learning models: a global one (across organizations), an organization-specific model, and a user-specific model.

Fig: The three-tiered Armorblox learning model

This approach combines the gains from looking at attacks across organizations with the contextual relevance of studying attacks specific to a particular organization.