As more of us move towards working from home, we are becoming more dependent on one key technology — instant messaging (IM). Applications such as Slack, Microsoft Teams and Flock have become de facto and mainstream corporate communications tools with millions of users. These tools are particularly effective at bringing together remote teams and helping reduce the delays in answering emails and a nice way to keep your inbox decluttered. But it’s precisely because of IM’s flexibility and ubiquity that makes it more compelling to protect its communications.
Until recently, corporate IT security managers haven’t given IM security much attention and many companies are still flying blind. Let’s discuss ways to improve your IM security. First, we’ll examine infection vectors and other common ways of compromising IM channels.
The first big issue with using IM apps is that they usually don’t have any anti-malware or URL filtering built-in. These risks seem obvious, but there are others that are more subtle. For example, with some systems, you can connect members from different organizations across a channel, so that organizational security policies could differ while files and messages are freely exchanged. While each user has to be explicitly invited to join a channel, that doesn’t mean that they can be trusted. Any IM user can type in a malicious URL that can be immediately shared across your organization. And any user can add from a huge catalog of different third-party apps, any one of which can broaden your attack surface area if not properly policed. That is why a growing collection of third-party IM protection apps come into play.
Another problem is how IM apps have created points of integration that could be vulnerable. Most of them also come with a variety of third-party add-on chatbots and other apps that can extend their use (you can find Flock’s app store here, for example). These add-ons make use of various published application programming interfaces or APIs that make it easier for developers to build add-on tools to integrate with their systems. Slack, for example, has put in place some basic rules to ensure that these apps were also developed with secure controls.
One issue is choosing the right corporate IM tool may not rest on how secure it is but in how secure it could be. Often, these decisions are political and are based on which department began using IM and how influential this choice was. Many IT departments migrated to Slack and it spread throughout the enterprise as a result.
But those early Slack users had problems with its security, particularly about how secure the Slack code itself was. A few years ago the company posted an interview with their CSO about their various concerns. That brought about an effort to focus on making sure their app became bug-free and was regularly tested for vulnerabilities. Flock followed along and makes a point of listing its various security features here.
But these issues opened the door for many third-party developers to write special security and compliance apps in its catalog here. There are several dozen of them now. Some include the ability to scan URLs, stop the transmission of personally identifiable data (such as Social Security and credit card numbers), censor links that could lead to downloading malware and prevent other nasty things that can find their way into a group channel or a private direct message exchange.
Other IM platforms don’t offer as many security add-on tools. Some of these platforms do have a number of application integrations but have less robust native protective measures, such as catching bad web links or potential phishing attachments.
Given this context, if you are shopping for a new IM supplier here are some questions you might want to ask them to determine how seriously they take their security measures:
What exact risks are you trying to prevent? A user typing in a bad URL? Or passing on phishing bait to download malware? Or posting a Social Security number by mistake? Your IM platform should natively block these avenues, and if you are considering any third-party security tool, it should be able to handle these circumstances.
What is the ultimate price? This can be vexing, even for those vendors who offer free trials such as Avanan, Metashield and Threat Stack. Few vendors offer web pages that list their prices explicitly. Some vendors have confusing pages that lump per user and per domain pricing together (Metacert) or don’t specifically mention their Slack protection (Avanan). You should expect to pay anywhere from $30 per month per domain to $20 per month per user.
What other things besides protecting IM can you accomplish with the same tool? Some tools such as Demisto and OneTrust are just designed for Slack. But others can be used elsewhere, either as part of their feature set or in conjunction with add-on tools from the same vendor. For example, Metashield and Metacert can screen other messaging platforms such as Skype, Telegram and Facebook Messenger. ZeroFox focuses on protecting communications across your social media accounts. Others can protect more general SaaS apps, such as ServiceNow and Workday that have significant messaging components. It depends on what you have installed across your enterprise, whether these tools have external users and how risk-averse you are.
Are you better off with a cloud access broker or CASB? That brings up an important point. The more you examine these third-party IM security apps, the more you get the feeling of deja vu. That is because some of the apps are really offerings from the CASB world. And while some CASB vendors (such as Cisco Cloudlock, McAfee/Skyhigh or Avanan) offer Slack protection as part of the numerous SaaS apps they cover, that may open up another can of worms that you don’t necessarily want or may force you to re-evaluate your existing CASB vendor if they don’t have IM support.
Does it scan shortened URLs? Some tools, such as Metacert, automatically expand the shortened links and then check to see if they are malicious or benign. That is a useful feature.
What information is available on dashboards? Typically, these security tools work in conjunction with a web-based dashboard where you set up various threat policies (such as adding to the prohibited word dictionary or tuning the response of the tool to an event). Both Metacert and ZeroFox do this, although navigating your way around both of their UIs to set this up will require some effort to understand.
Secure On Every Channel
Asking these questions and answering them correctly is a great start to securing your IM platforms. By taking the time to lock down your IM security, you’re moving a step closer to ensuring your organization is secure across all channels.