Credit: Scott Webb
When it comes to protecting your Slack messages, many companies are still flying blind. Slack has become the de facto corporate messaging app, with millions of users and a variety of third-party add-on bots and other apps that can extend its use. It has made inroads into replacing email, which makes sense because it is so immediate like other messaging apps. Its flexibility and ubiquity are precisely why it’s more compelling to protect its communications.
Slack hasn’t been sleeping about security--quite the contrary. Last January, the company posted an interview with its CSO about various concerns. Slack’s effort is mainly focused on making sure its own app is bug-free and tested regularly for vulnerabilities. When Slack opened up its API to third-party developers, the company put in place some basic rules to ensure that these apps were also developed with secure controls. Slack also has some good recommendations to keep its app more secure, such as making sure that all users implement two-factor authentication and setting up automatic provisioning and deprovisioning for users. All these efforts are noteworthy, but incomplete.
Slack lacks malware protection
Why? Because the app itself doesn’t have any anti-malware or URL filtering built-in. These risks seem obvious, but others are more subtle. For example, you can connect members from different organizations across a Slack channel, so that organizational security policies could differ while files and messages are freely exchanged. While each user has to be explicitly invited to join a channel, that doesn’t mean that they can be trusted.
Any Slack user can type in a malicious URL that can be immediately shared across your organization. Any user can add from a huge catalog of nearly a thousand different third-party apps, any one of which can broaden your attack surface area if not properly policed. That is where these third-party protection apps come into play.
Slack has a link to its 50-plus security and compliance apps in its catalog. I took a closer look at nearly a dozen different products and tried many of them out on a production Slack messaging group. As with any security product, not every protective tool works for every situation. Some include the ability to scan URLs, stop the transmission of personally identifiable information (such as Social Security and credit card numbers), censor links that could lead to downloading malware, and prevent other nasty things that can find their way into a group channel or a private direct message exchange. You can check out our summary chart to get started with understanding the features, pricing, and context.
Metacert
Metacert has several configurations for its data loss prevention (DLP) policies to detect keywords and censor message content.
You can check out our summary chart to get started with understanding the features, pricing, and context.
CSOSlack security tools vary widely for ease of use, features
Hands-on testing of these products ranges from very easy to painful, and I have tried to indicate the level of your own investment of time in the chart. Some of these apps are just a matter of clicking on a URL and adding them to your Slack group, like Metacert and Metashield. Others will require you to schedule a call with the vendor’s sales department to gain access. Documentation can be meaningful through interacting with the vendor’s Slack bot, or it could be more vexing and difficult to track down with various online references.
Some products work in conjunction with summary dashboards that offer more sophisticated tools and customizations. Metacert and ZeroFox are two examples. These dashboards can be used to provide auditing and compliance reports, which could be important in your situation. A dashboard can be useful in setting up custom filtering actions for the app, such as protecting against divulging corporate secrets over the messaging channels.
ZeroFox
ZeroFox alerts management dashboard shows the various risks detected across your Slack channels.
Questions to ask when buying a Slack security tool
If you are trying to lock down your Slack communications, here are some questions to ask your potential security vendor before you make any purchase decision.
- What exact risks are you trying to prevent? A user typing in a bad URL? Or passing on phishing bait to download malware? Or someone posting a Social Security number by mistake? Each tool covers a subset of these circumstances, and I have listed the general features in the chart as a guide.
- What is the ultimate price? This can be vexing, even for those vendors who offer free trials such as Avanan, Metashield and Threatstack. Few vendors show their prices on their websites. Some vendors have confusing pages that lump per-user and per-domain pricing together (Metacert) or don’t specifically mention their Slack protection (Avanan). Others are coy and require you to give up your contact information if you want any specifics since the vendor wants to call you and qualify your circumstances. I have listed pricing information where I could ferret it out.
- What other things besides protecting Slack do you need? Some tools such as Demisto and OneTrust are designed just for Slack. Others can be used elsewhere, either as part of their feature set or in conjunction with add-on tools from the same vendor. For example, Metashield and Metacert can screen other messaging platforms such as Skype, Telegram and Facebook Messenger. ZeroFox focuses on protecting communications across your social media accounts. Then others can protect more general SaaS apps, such as ServiceNow and Workday that have significant messaging components. It depends on what you have installed across your enterprise, whether these tools have external users, and how risk-averse you are.
- Are you better off with a CASB? That brings up an important point. The more you examine these third-party Slack apps, the more you get the feeling of deja vu. That is because some of the apps are really offerings from the cloud access security broker (CASB) world. While some CASB vendors (such as Cisco Cloudlock, McAfee/Skyhigh or Avanan) offer Slack protection as part of the numerous SaaS apps they cover, that may open up another can of worms that you don’t necessarily want or may force you to re-evaluate your existing CASB vendor if they don’t have any Slack support.
- Does it catch shortened URLs? Some tools, such as Metacert, automatically expand the shortened links and then check to see if they are malicious or benign. That is a useful feature.
- What information is available on dashboards? Typically, these tools work in conjunction with a web-based dashboard where you set up various threat policies (such as adding to the prohibited word dictionary or tuning the response of the tool to an event). Both Metacert and ZeroFox do this, although navigating your way around both of their UIs to set this up will require some effort to understand.
- How real-time is the tool? Some products, such as Avanan, ZeroFox and Metacert, censor messages within seconds. Others take longer to respond, which means a piece of malicious content could linger on a channel long enough for a user to copy or click on it.
- Do you need admin access to your Slack installation to install the tool? Some require this, some don’t. Some ask for a wide collection of permissions, such as Metacert and ZeroFox. Others are more parsimonious. This illustrates one of the conundrums of Slack security: The more the tool needs to secure your Slack channels, the more permissions it will need to examine your message content.