This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Enterprise chat applications have surged in popularity, driven in large part by Slack, which now claims to serve more than three million users daily. What’s more, the popularity of these apps has given rise to a new phenomenon known as ChatOps, which is what happens when these new messaging systems are used to automate operational tasks.
GitHub创造了ChatOps术语,以描述将人员,工具,过程和自动化连接到透明工作流程的协作模型。根据Hipchat产品营销负责人Sean Regan的说法,此流程将所需的工作,工作以及在人员,机器人和相关工具配备的一致位置所做的工作联系起来。它的透明性质加快了反馈循环,促进信息共享并增强了团队协作,但也为安全和风险专业人员带来了一系列新的挑战。
Take, for example, theGeneral Services Administration. Earlier this year, the agency and one of its outside partners shared a series of documents and spreadsheets through Slack. In doing so, they opened up programmatic access to more than 100 Google Drive accounts for nearly half a year, in violation of the acceptable permissions policy defined by the GSA’s information security team.
This is not a security flaw in Slack – instead, it is a risk exposed by the combination of unfamiliar systems being used and managed by business users who are not security specialists familiar with the many regulatory and compliance-related rules around data protection.
Chat systems, however, can be securely adopted and managed. In understanding how, first consider how these systems have been adopted. The ease of using these platforms, coupled with their cloud-native integration capabilities with other systems, is largely responsible for rapid growth in the enterprise.
业务用户还利用聊天系统来自动化任务,例如提交费用报告,开发待办事项列表和调度会议,这要归功于将BOTS和AI集成到消息传递应用程序中的能力。微软针对Skype,Slack和Office 365的机器人框架允许组织构建和连接智能机器人,这些机器人自然在用户说话的地方进行交互。
通过将第三方内容交织到典型员工的每日通信流中,并与可扩展的功能相结合,这些聊天应用程序不仅开始传递电子邮件为主导的每日消息传递系统,而且还取代了命令行,甚至是Web浏览器许多重复的任务。
老年威胁
虽然集成意味着新的风险,但聊天工具的普及为更基本的威胁,长矛网络钓鱼和一个行业一直在困扰的问题(在很大程度上不成功)中打开了大门。在过去的18个月中,联邦调查局表示,网络钓鱼损失了超过30亿美元。在很大程度上,此类攻击之所以成功,是因为现有的电子邮件安全产品旨在阻止,隔离或防止传递恶意邮件。
This is changing as vendors realize that this strategy has failed to prevent attacks that rely on deception and targeted social engineering, rather than malware or blacklisted sending servers. Unfortunately, much of the security market remains focused on point solutions and perimeter controls for email.
As chat platforms become increasingly popular, they are an obvious target for the same kinds of impersonation attacks. Especially for organizations that allow external users, such as customers or contractors, to engage via chat platforms. CISOs and security teams need a comprehensive strategy for identifying these attacks broadly. While the legacy vendors have yet to catch up to this new threat surface (excepting limited data loss prevention functionality), safeguarding against targeted attempts to steal IP, financial resources, or other sensitive data should be part of a comprehensive security posture for Slack.
Malicious apps and permissive bots
在建立安全计划以解决ChatOps计划中的安全计划时,重点是第三方访问。
像许多云平台一样,聊天工具允许外部组织利用内部API扩展功能,从调度助手到旅行预订工具到各种工程和产品管理系统。总体而言,这种可扩展性代表了这些系统的核心强度。
但是,从安全的角度来看,它们可以表示必须解决的数据剥落机会。首先,并非每个第三方公司都是他们可以访问的数据的好管家;供应商审查和可接受用途的公司政策应以与任何系统一样的方式适用于聊天程序。与GSA示例一样,依靠用户了解连接技术的技术局限性和风险并不是一个强大的策略。
根部问题是,许多CISO和CIO对甚至使用哪些第三方应用程序的可见性有限,并且在违反内部安全政策时实际上没有删除它们的功能。虽然受信任的应用程序可能是一个生产力的福音,但能够检测和管理无法符合组织标准的应用程序和机器人的风险 - 理想情况下,可以访问实时确定每个应用程序的风险概况的信息 - 是至关重要的安全能力这些新的生态系统。
凭证损失和帐户滥用
The final consideration from a chat security perspective is ensuring that credentials are not being stolen and misused. As with any enterprise application, the most difficult threat to detect is the internal user whose account is compromised and then used to move laterally within the organization.
For a chat program, this can lead to data loss through impersonation, the installation of malicious bots, or even direct system compromise for other pieces of corporate infrastructure.
除了执行强密码和多因素身份验证外,信息安全团队还应确保他们具有凭证使用的全面分析功能,能够检测到不仅在其聊天环境中,而且所有连接到的系统都可以检测异常的登录或访问活动它。此外,可疑事件应促使自动警报和响应,最大程度地减少攻击者绕过控制和渗透敏感信息的机会之窗。
对于大多数组织来说,现实是,云应用程序的采用速度正在继续加速。聊天系统只是现代超连接基础架构的一种体现,保护这些系统内的威胁需要采取纪律严明但最终具有赋权的方法,在这种方法中,威胁检测和补救被视为组织可以拥抱而不是试图阻止的一部分新技术。
On balance, the rise of cloud-based chat systems is both a positive and productivity-enhancing paradigm shift. However, as with any new system, security considerations need to be identified and planned for – and these platforms introduce a unique set of requirements given the breadth and depth of their access to potentially sensitive data and personnel.