Email Security for Your Data at Rest

Email continues to reign supreme in the enterprise. Despite attempts by messaging, collaboration, and app developers and vendors to offer alternative methods of communication for business use, statistics show that email is increasing in corporate settings. The number of email accounts worldwide grows at an average rate of 6.5% year-on-year, and the average number of business emails sent/received per year has risen by over 3% annually from 2015 to 2019,1 with the typical employee managing 126 emails per day, every day. That’s a lot of mail. And it’s one of the main reasons email remains a top cyber threat vector: The busier we are, the more likely humans are to skim the contents of an email, click on something we shouldn’t, or include information in an email that might be better sent via another mechanism that can provide enhanced security but necessitates the use of a separate and less “easy” platform.

This user friction paradigm greases the wheels for cyber criminals, and they know it. Phishing campaigns continue to see success, and the result is vast amounts of data lost or compromised every year. Because email is such a reliable initial point of compromise, the cyber security solutions market has spent considerable time and effort building products to mitigate the threat. From endpoint security tools to email gateways and identity and access controls, security has come a long way in inventing solutions that can stop the most obvious exploit attempts and decrease the number of successful attacks.

With a layered approach, it's possible for businesses to thwart many email-based attacks. It might not look like it based on the sheer number of successful phish, but imagine how immense the problem would be without these controls. Yet, as security practitioners, we must be realistic; some attacks will get through endpoint controls and vulnerable software. Some will take advantage of human nature to capitalize on tiredness, busyness, distractedness, and benightedness.

Content rich inboxes

It’s these attacks that are worrisome. While numerous security technologies focus on stopping infiltration or the progression of attacks after initial exploit, fewer technologies protect the wealth of data sitting inside users’ inboxes. “Today's email security is synonymous with blockers,” said Abhishek Agrawal, co-founder & CTO of email security newbie, Material Security, during a recent call. “But no matter how good blockers are, they are only designed to handle certain types of attacks, and some attacks can target the mailbox without sending a malicious message,” he said, “and mailboxes are a treasure trove of sensitive content; email is the key to connected accounts—attackers can use email to get into multiple accounts, reset passwords, or takeover accounts. Email is no longer just the vector of attack—the mailbox itself is the prize now.”

We’ve repeatedly seen these problems play out in the headlines, and so did Agrawal and team while working at Dropbox in the 20-teens. After the infamous DNC-John Podesta email breach, they decided to go out on their own and start a company focused on protecting email and its contents; Material wants to be the layer that focuses on the rich content that can be accessed via users’ inboxes and the actions threat actors can take after they’ve accessed those environments.

Redaction and removal

Material is built to answer the question: What would an attacker do if they had access to this email account? Once Material is deployed via API, it scans the contents of the managed user/employee mailboxes for sensitive content—PII, financial information, health-related data, company-proprietary information, source code, etc.—and classifies it as “sensitive.” Admins can then flag, redact, or delete these messages, removing the availability of sensitive emails from vulnerable inboxes. Users can also manually classify email as sensitive to address one-off scenarios.

Material extends the same redaction techniques to protect organizations against lateral account takeover via a compromised email account. With the proliferation of SaaS services (including Shadow IT applications) that rely on an email address as an identity layer, email accounts have become key elements of cyber attack attempts. In response, Material was designed to intercept and redact important account messages, such as those used for password resets, and help prevent attackers from expanding laterally.

What about the user experience (you might ask, as I did)? What happens to the emails that are deleted, redacted, or removed from an inbox? Great that admins are reducing email exposure risk, but employees need access to their email to do their jobs. You can’t just delete messages or make them inaccessible without giving the user any warning or ability to counteract the control. Security is critically important, but speed and efficacy are paramount for today’s businesses.

I wasn’t the only one to worry about admins making Draconian decisions about users’ inboxes that may affect productivity. The way Material handles the issue is this: When an email is redacted, it is marked “sensitive” and sent to the customer’s private Google Cloud “project.” In GCP’s terms, a “project“ is a private instance of cloud storage where all the customer’s data and API tokens live. When a user sees that a message has been redacted, they can recover it by clicking a “retrieve message” button which prompts an SSO or MFA push verification, ensuring the person making the request is the legitimate mailbox owner. Once the verification is complete, access to the message is restored. If the user decides to keep the sensitive email in their mailbox, the system automatically redacts the message again, after a period of time defined by the administrator.

Protecting the cloud project

My next concern was about the customer’s cloud project: The message is removed from the individual mailbox, but it is still stored in the cloud project, and cloud is also vulnerable. Wouldn’t the project then become the attacker’s paradise? Material is moving the threat from one place to another. True, said Agrawal, but there are a few things to consider. First, moving the threat to a less-likely-to-be-compromised location is a viable threat management tactic, as my colleague, Stan Quintana, pointed out. The US Air Force Information Warfare Center (AFIWC) has been using a risk management model developed by Trident Data Systems which classifies the displacement of risk as legitimate technique. Good enough for the USAF, good enough for email. Thus, though cloud attacks are problematic, and IT and security admins must take due care over their cloud instances, research and history have shown us that email compromise is a more prominent threat at present.

Second, with all the sensitive emails in one place, admins have better visibility into what’s happening with their users’ email accounts—who is accessing sensitive content, what kind of sensitive information

is flowing into and out of accounts, and when and how long sensitive data is sitting at rest in inboxes. The unfortunate reality is that, even with all the commercial tools on the market, many email teams don’t have the visibility they need across their user base to control email data rest in an effective way. Material gives admins this visibility, plus risk metrics they can use to improve their email security program.

Third, and probably most important, is Material’s secure-by-design architecture. Stan and I hammered on the Material team for a bit on this point and were gratified to see they’ve thought through the implications of a compromise to a customer’s project. They demonstrated their security architecture and sent us a three-page document as a follow up that outlines their security and governance policies plus the protocols build into the product, including TLS/SSL for data transfers and API calls, isolation, multi-factor authentication, encryption for data at rest, regular external pen tests and ongoing bug bounty programs, and more. Material is also a SOC2 Type 1 (and currently in process for Type 2) certified provider and is built for GCP environments, which are compliant with all the major regulations, standards, and best practices.

Further, Material’s customers’ projects can be managed in three modes: fully managed by Material, customer managed, or co-managed. This means that the most suspicious companies can opt to lock out external admins and take full control over configurations, access, and any usage decisions.

Crossing the personal-business divide

While Material was developed for enterprises, the personal email accounts of VIPs and high-profile employees (e.g., executives, boards members) are major attack targets. Given the lack of separation between our work and personal lives, security teams must consider how to bridge the work-personal divide, for instance, if a work email has somehow slipped into a personal email box or if the user is reusing passwords across accounts, making it easy for attackers to use valid credentials to obtain multiple inbox access.

With Material, companies could offer protection for employees’ (or select employees’) personal email accounts as a benefit…which also happens to protect the company from unintended data exposure. We at TAG Cyber see the ability to protect emails at rest as an important capability, and that means thinking beyond the corporate inbox.

Email is one of our most used tools. Though there are several established email and endpoint security categories, mailbox content protection should receive more enterprise attention. Material is one to watch in this space.