Virtualization Technology News and Information
VMblog Expert Interview: Rob Fry Talks Amorblox, Email Security, Data Protection and What's Next

interview armorblox fry 

The threat landscape seems to be constantly changing.  And in 2020, there are even more sophisticated attacks taking place, making this year more extreme.  To learn more, VMblog recently had the opportunity to catch up with cybersecurity industry expert, Rob Fry, the Chief Technology Officer at Armorblox.  

VMblog:  Before we begin, can you give us some background on Armorblox and the customer problem you're trying to solve?

Rob Fry:  Armorblox helps organizations communicate more securely on email and other productivity applications like messaging and file sharing. The Armorblox platform uses natural language understanding (NLU) and other algorithms to stop advanced email attacks like business email compromise (BEC), account takeover, impersonation, and other threats that get past traditional email defenses. Armorblox connects over APIs to Office 365, G Suite, and Exchange for inbound and outbound protection, with more planned integrations on the way.  

On the compliance front, Armorblox helps organizations measure their exposure to data loss by detecting instances of sensitive PII/PCI information and unencrypted passwords shared over email. 

VMblog:  Why do you think this is the right time for language to be a signal in cybersecurity?

Fry:  The short simple answer is we are at an inflection point in capability and community support. As opposed to other datasets in cybersecurity - such as network and endpoint - where AI is still scratching at the surface trying to find high efficacy use cases to tackle, NLU has advanced tremendously in recent years because of work being done in both academia and industry. GPT-3 from OpenAI, RobertA from Facebook, and other open-source pre-trained models continue to strengthen NLU's impact on understanding language. Therefore the availability of pre-trained models, the development of new models, and the improvements on existing techniques are all giving NLU more capabilities to address language-based threats and sensitive data use cases in cybersecurity. 

The role ‘language as a signal' plays today with the more costly attacks against the enterprise is particularly important within email security, given the nature of email attacks we see now. Instead of sharing blatant phishing links, or malicious attachments, attackers are now impersonating your boss or 3rd party supplier and stealing money or data by employing social engineering techniques. When the attack is in the fine print, the protection needs to be there as well.

A simple measure of this capability is called a General Language Understanding Evaluation or GLUE score. Think of GLUE as your average reading comprehension test. NLU is at a stage where GLUE scores are increasing at an outstanding rate. Armorblox is bringing these advances in NLU to cybersecurity, building atop this inflection point to reach a GLUE score of up to 91 for certain tests. 

VMblog:  Phishing attacks have been around for a long time.  Why should organizations continue to invest in email security?  Are email attacks different now (and if so, how)? 

Fry:  Organizations should invest because it's a profitable primary attack vector for the adversary and the creativeness of their attacks persist around legacy systems. This is demonstrated by the sustained financial losses being suffered by organizations, which is currently estimated by the FBI to be at $26 billion over the past 3 years.

People usually associate ‘phishing' with spam and templatized phishing attempts that, while frustrating, are not very effective in fulfilling their objectives. Email security provided by native email providers (Office 365 and GSuite) does a good job of stopping these attacks.

And in the past, email security providers have made email advancements to counter adversarial tradecraft. You can look to legacy technology such as email authentication such as DMARC, DKIM, SPF or sandboxing/detonation, and URL rewriting. While these technologies still have a purpose, the attacks today which cause the most financial loss can easily circumvent these technologies.

Today, adversaries research their targets, mask payloads by standing up zero-day domains with redirections and often impersonate trusted parties to steal money and data. Attackers are also foregoing payloads altogether to bypass sandboxing/detonation technology, focusing instead on socially engineered messages that are crafted at the human layer instead of the technology layer to elicit emotional responses and induce specific actions from victims e.g. fraudulently asking for iTunes gift cards, asking the payroll team to change direct deposit details. Malicious emails are now being delivered from reliable domains such as Gmail and Yahoo to pass authentication checks. 

Email protection engines based solely on signatures, metadata, and other deterministic signals are no longer enough to protect organizations from these advanced attacks. It's also not fair to ask humans to be in a constantly hypervigilant state of mind while interacting with these emails. The average end-user is very busy and has better things to do than triple-checking emails from known associates and dear friends. 

VMblog:  Alert fatigue is a longstanding issue within cybersecurity.  As a threat detection solution, does Armorblox do anything to address this?

Fry:  Alert fatigue is a critical challenge that email security needs to reckon with, especially since 96% of all security attacks begin with an email. Email security alerts are usually high-volume, low-fidelity, and swamp the security team with false positives, creating more problems than solving them.

To reduce the alert burden on security teams, Armorblox has multiple layers of email defense and a feedback loop that continually reduces false positives. In the first layer, our detection engine scans all mailboxes for advanced email threats, classifies them into predefined threat categories, and automatically applies configurable remediation actions e.g. delete or quarantine. 

If any suspicious email gets missed by this layer an employee can report it to the organization's phishing mailbox, Armorblox analyzes the email again and automatically remediates if it flags existing detection categories. For emails that don't flag existing policies, Armorblox centralizes any IOCs related to the email and has a unique and powerful way to display them for the security team to quickly review. This ensures security teams only review the threats that matter and have the relevant information effectively laid out for investigation. 

And for this feedback loop, once security teams review and manually remediate an email attack, Armorblox learns from those manual actions to create dynamic policies. These policies will automatically remediate similar and identical attacks in the future. This feedback loop ultimately improves inbound threat detection. We worked with our customers on ROI calculations to show anywhere from a 60%-98% reduction in time spent on alerts.

Our goal in creating this layered protection has been to ensure that security teams only spend time investigating and remediating email threats that merit their attention.

VMblog:  What is your advice to organizations looking to rebuild their email security stack?

  • Conduct a thorough review of your native email security capabilities to ensure you're maximizing value from that protective layer. 
  • Once you're happy with the native layer, evaluate your other existing email security solutions (e.g. Secure Email Gateways, email authentication) and to what extent they augment native security capabilities. If under-the-hood techniques driving threat detection are similar across two layers, it's inefficient to duplicate investment across both native and third-party controls. Pick the layer that best suits your needs. 
  • To stop targeted email attacks, augment your existing security layers with solutions that provide specific protection against such attacks. Since no one email threat signal is deterministic, look for solutions that combine a broad spread of detection algorithms.
  • Look for self-learning email security solutions. Email attacks will probably look different a few years from now, and it's not sustainable to replace the email security stack whenever that happens. Look for solutions that learn from organizational data to provide enterprise-relevant threat detection.

VMblog:  What is different about your approach to data protection? 

Fry:  The first thing I'd point out is you don't currently see products protecting the commonality and usage between email, messaging, and online drives. While most customers have policies about how to use these services properly, the visibility and controls don't meet customer needs. We've heard from many customers about their desire for us to be successful at this approach because it is materially different. Secondly, on the technical side, our novel approach largely stems from our NLU detection algorithms and how we can tangibly improve data protection. With legacy technologies, there are two prevalent data classification approaches today: pattern-based classification and signature-based classification. While both have their strengths, they cause problems with high false positives rates and poor recall respectively. Conversely, Armorblox leverages topic-based classification that tags topics for every confidential document (e.g. names, numbers, semantic relationships, sensitive data) to improve both data visibility and data protection accuracy.

We have also taken a different approach to policy creation. We want to give both end-users and the security team the freedom to own data protection policies, depending on the business context. This ensures security teams are not blockers for policies where they don't have business visibility, and encourages more secure behaviors from end-users. 

VMblog:  You mentioned non-email channels.  What does that mean and why is it important to customers?

Fry:  While email is still the primary means of digitally communicating and sharing data, it's quickly being supported - and in some cases, supplanted - by other channels like Slack, Microsoft Teams, Box, and OneDrive. In this distributed yet connected landscape, it's important to protect customers across all communication channels. 

Looking at it through a threat lens, the interconnected nature of productivity apps makes it easy for attackers to move laterally after compromising an employee's account. Malicious URLs can be posted on shared channels with the organization's customers, vendors, and partners. 

Looking at it through a data lens, there needs to be a unifying layer across channels that understand what constitutes sensitive and confidential data. Think of the example of the employee who posts a link to a sensitive document from an online drive into a Slack channel where certain, or maybe all, of the people in the channel do not have access to the document. Without such an understanding, it's easy for employees to download a confidential document from email and accidentally share it with unauthorized recipients over Slack. 

Armorblox currently protects customers on all major email providers, Slack, and Box. More integrations such as with OneDrive, Google Drive, and Microsoft Teams are in the works. Our aim is to help customers communicate security wherever they communicate.

VMblog:  Finally, what's ahead for Armorblox?

Fry:  We've received very positive responses and validation from our customers. This has us very focused on continuing to deliver better detection capabilities,  add more integrations to enrich language-based data sets with better context, and build out our partner ecosystem. While it is the early days for NLU in cybersecurity, our customers are becoming more aware of its value while we are working to bring even more awareness to this capability. Over the next year, we feel there will be a major shift for email security away from legacy systems and over to NLU systems like ours. As this is happening, the customer desire for more protection around the human layer will drive an additional desire for language-based solutions, so we feel very confident in our ability to deliver this for the messaging and online platforms in addition to email. 


Published Tuesday, September 15, 2020 7:40 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2020>