The threat landscape seems to be constantly changing. And in 2020, there are even more sophisticated attacks taking place, making this year more extreme. To learn more, VMblog recently had the opportunity to catch up with cybersecurity industry expert, Rob Fry, the Chief Technology Officer at Armorblox.
VMblog: Before we begin, can you give us some background on Armorblox and
the customer problem you're trying to solve?
Rob Fry: Armorblox helps organizations communicate more securely on email
and other productivity applications like messaging and file sharing. The Armorblox
platform uses natural language understanding (NLU) and other algorithms to stop
advanced email attacks like business email compromise (BEC), account takeover,
impersonation, and other threats that get past traditional email defenses.
Armorblox connects over APIs to Office 365, G Suite, and Exchange for inbound
and outbound protection, with more planned integrations on the way.
On
the compliance front, Armorblox helps organizations measure their exposure to
data loss by detecting instances of sensitive PII/PCI information and
unencrypted passwords shared over email.
VMblog: Why do you think this is the right time for language to be a
signal in cybersecurity?
Fry: The short simple answer is we are at an inflection point in
capability and community support. As opposed to other datasets in cybersecurity
- such as network and endpoint - where AI is still scratching at the surface
trying to find high efficacy use cases to tackle, NLU has advanced tremendously
in recent years because of work being done in both academia and industry. GPT-3
from OpenAI, RobertA from Facebook, and other open-source pre-trained models
continue to strengthen NLU's impact on understanding language. Therefore the
availability of pre-trained models, the development of new models, and the
improvements on existing techniques are all giving NLU more capabilities to
address language-based threats and sensitive data use cases in
cybersecurity.
The
role ‘language as a signal' plays today with the more costly attacks against
the enterprise is particularly important within email security, given the
nature of email attacks we see now. Instead of sharing blatant phishing links,
or malicious attachments, attackers are now impersonating your boss or 3rd
party supplier and stealing money or data by employing social engineering
techniques. When the attack is in the fine print, the protection needs to be
there as well.
A
simple measure of this capability is called a General Language Understanding
Evaluation or GLUE score. Think of GLUE as your average reading comprehension
test. NLU is at a stage where GLUE scores are increasing at an outstanding
rate. Armorblox is bringing these advances in NLU to cybersecurity, building
atop this inflection point to reach a GLUE score of up to 91 for certain tests.
VMblog: Phishing attacks have been around for a long time. Why should
organizations continue to invest in email security? Are email attacks different
now (and if so, how)?
Fry: Organizations should invest because it's a profitable primary
attack vector for the adversary and the creativeness of their attacks persist
around legacy systems. This is demonstrated by the sustained financial losses
being suffered by organizations, which is currently estimated by the FBI to be
at $26 billion over the past 3 years.
People
usually associate ‘phishing' with spam and templatized phishing attempts that,
while frustrating, are not very effective in fulfilling their objectives. Email
security provided by native email providers (Office 365 and GSuite) does a good
job of stopping these attacks.
And
in the past, email security providers have made email advancements to counter
adversarial tradecraft. You can look to legacy technology such as email
authentication such as DMARC, DKIM, SPF or sandboxing/detonation, and URL rewriting.
While these technologies still have a purpose, the attacks today which cause
the most financial loss can easily circumvent these technologies.
Today,
adversaries research their targets, mask payloads by standing up zero-day
domains with redirections and often impersonate trusted parties to steal money
and data. Attackers are also foregoing payloads altogether to bypass
sandboxing/detonation technology, focusing instead on socially engineered
messages that are crafted at the human layer instead of the technology layer to
elicit emotional responses and induce specific actions from victims e.g.
fraudulently asking for iTunes gift cards, asking the payroll team to change
direct deposit details. Malicious emails are now being delivered from reliable
domains such as Gmail and Yahoo to pass authentication checks.
Email
protection engines based solely on signatures, metadata, and other
deterministic signals are no longer enough to protect organizations from these
advanced attacks. It's also not fair to ask humans to be in a constantly
hypervigilant state of mind while interacting with these emails. The average
end-user is very busy and has better things to do than triple-checking emails
from known associates and dear friends.
VMblog: Alert fatigue is a longstanding issue within cybersecurity. As a
threat detection solution, does Armorblox do anything to address this?
Fry: Alert fatigue is a critical challenge that email security needs
to reckon with, especially since 96% of all security attacks begin with an
email. Email security alerts are usually high-volume, low-fidelity, and swamp
the security team with false positives, creating more problems than solving them.
To
reduce the alert burden on security teams, Armorblox has multiple layers of
email defense and a feedback loop that continually reduces false positives. In
the first layer, our detection engine scans all mailboxes for advanced email
threats, classifies them into predefined threat categories, and automatically
applies configurable remediation actions e.g. delete or quarantine.
If
any suspicious email gets missed by this layer an employee can report it to the
organization's phishing mailbox, Armorblox analyzes the email again and
automatically remediates if it flags existing detection categories. For emails
that don't flag existing policies, Armorblox centralizes any IOCs related to
the email and has a unique and powerful way to display them for the security
team to quickly review. This ensures security teams only review the threats
that matter and have the relevant information effectively laid out for
investigation.
And
for this feedback loop, once security teams review and manually remediate an
email attack, Armorblox learns from those manual actions to create dynamic
policies. These policies will automatically remediate similar and identical
attacks in the future. This feedback loop ultimately improves inbound threat
detection. We worked with our customers on ROI calculations to show anywhere
from a 60%-98% reduction in time spent on alerts.
Our
goal in creating this layered protection has been to ensure that security teams
only spend time investigating and remediating email threats that merit their
attention.
VMblog: What is your advice to organizations looking to rebuild their
email security stack?
Fry:
- Conduct
a thorough review of your native email security capabilities to ensure
you're maximizing value from that protective layer.
- Once
you're happy with the native layer, evaluate your other existing email
security solutions (e.g. Secure Email Gateways, email authentication) and
to what extent they augment native security capabilities. If
under-the-hood techniques driving threat detection are similar across two
layers, it's inefficient to duplicate investment across both native and
third-party controls. Pick the layer that best suits your needs.
- To
stop targeted email attacks, augment your existing security layers with
solutions that provide specific protection against such attacks. Since no
one email threat signal is deterministic, look for solutions that combine
a broad spread of detection algorithms.
- Look
for self-learning email security solutions. Email attacks will probably
look different a few years from now, and it's not sustainable to replace
the email security stack whenever that happens. Look for solutions that
learn from organizational data to provide enterprise-relevant threat
detection.
VMblog: What is different about your approach to data protection?
Fry: The first thing I'd point out is you don't currently see products
protecting the commonality and usage between email, messaging, and online
drives. While most customers have policies about how to use these services
properly, the visibility and controls don't meet customer needs. We've heard
from many customers about their desire for us to be successful at this approach
because it is materially different. Secondly, on the technical side, our novel
approach largely stems from our NLU detection algorithms and how we can
tangibly improve data protection. With legacy technologies, there are two
prevalent data classification approaches today: pattern-based classification
and signature-based classification. While both have their strengths, they cause
problems with high false positives rates and poor recall respectively.
Conversely, Armorblox leverages topic-based classification that tags topics for
every confidential document (e.g. names, numbers, semantic relationships,
sensitive data) to improve both data visibility and data protection accuracy.
We
have also taken a different approach to policy creation. We want to give both
end-users and the security team the freedom to own data protection policies,
depending on the business context. This ensures security teams are not blockers
for policies where they don't have business visibility, and encourages more
secure behaviors from end-users.
VMblog: You mentioned non-email channels. What does that mean and why is
it important to customers?
Fry: While email is still the primary means of digitally communicating
and sharing data, it's quickly being supported - and in some cases, supplanted
- by other channels like Slack, Microsoft Teams, Box, and OneDrive. In this
distributed yet connected landscape, it's important to protect customers across
all communication channels.
Looking
at it through a threat lens, the interconnected nature of productivity apps makes
it easy for attackers to move laterally after compromising an employee's
account. Malicious URLs can be posted on shared channels with the
organization's customers, vendors, and partners.
Looking
at it through a data lens, there needs to be a unifying layer across channels
that understand what constitutes sensitive and confidential data. Think of the
example of the employee who posts a link to a sensitive document from an online
drive into a Slack channel where certain, or maybe all, of the people in the
channel do not have access to the document. Without such an understanding, it's
easy for employees to download a confidential document from email and
accidentally share it with unauthorized recipients over Slack.
Armorblox
currently protects customers on all major email providers, Slack, and Box. More
integrations such as with OneDrive, Google Drive, and Microsoft Teams are in
the works. Our aim is to help customers communicate security wherever they
communicate.
VMblog: Finally, what's ahead for Armorblox?
Fry: We've received very positive responses and validation from our
customers. This has us very focused on continuing to deliver better detection
capabilities, add more integrations to enrich language-based data sets
with better context, and build out our partner ecosystem. While it is the early
days for NLU in cybersecurity, our customers are becoming more aware of its
value while we are working to bring even more awareness to this capability.
Over the next year, we feel there will be a major shift for email security away
from legacy systems and over to NLU systems like ours. As this is happening,
the customer desire for more protection around the human layer will drive an
additional desire for language-based solutions, so we feel very confident in
our ability to deliver this for the messaging and online platforms in addition
to email.
##