Messaging Apps Protection - Slack

Overview

Slack is a messaging platform designed for the workplace. It offers employees and external collaborators to chat, meet online, and share files. Avanan adds security, privacy, and compliance to Slack by scanning messages and files for malicious content and data leakage (DLP) and generates actionable events on malicious content.

Avanan scans the messages and files shared through direct messaging or channels (private (internal users) and private-to-public channels).

How it works

Avanan adds a layer of security that provides these security features for Slack:

  • Data Leak Prevention (DLP): Protecting sensitive text messages and files
  • Anti-Malware: Scanning of files for malicious content
  • URL Reputation: Blocking malicious links within files and messages
  • Remediation: Tombstoning malicious files or sensitive files and messages

Activating Slack

Important:

  • Discovery API support is required to scan messages. The Enterprise Grid plan supports this.
  • To activate Slack, the onboarding user must have administrator access to the relevant workspace.
  • You must have the minimum supported SaaS license. See Minimum Requirements.
  • The onboarding user should be part of the relevant workspace.

To activate Slack:

  1. From the Getting Started Wizard, click Start for Slack.
    Note - This wizard appears only when you are activating your first SaaS application in the Avanan portal.
    Or
    Navigate to Security Settings > SaaS Applications and click Start for Slack.
  2. Click Start in the pop-up screen that appears.
  3. In the Slack Sign-in window that opens, sign in with your Slack administrator credentials.
    Note - Slack performs the authentication, and Avanan does not provide these credentials.
  4. In the authorization screen from Slack, click Accept to grant necessary permissions to Avanan.
    The Slack SaaS is enabled, and monitoring begins immediately.
    Slack

Deactivating Slack

To deactivate Slack:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Stop for Slack.
    Slack-Stop

Slack Security Settings

Customizing Tombstone Messages

If a message/file is tombstoned, a tombstone message will appear instead of the tombstoned message/file. The original message/file becomes inaccessible to the sender and the recipients in the chat/channel.

Administrators can customize the tombstone message for both messages and files.

To customize the tombstone messages:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Configure for Slack.
  3. To customize the tombstone message for messages, update the Slack Message field.
  4. To customize the tombstone message for files, update the Slack Files field.
  5. To allow users to unblock messages, clear the Allow unblock message checkbox.
  6. Click Save.

Configuring Slack Policy

Malware Policy

By default, the Slack malware policy scans for malicious content in the files sent using Slack.

Supported Actions

Slack malware policy supports these actions:

  • Tombstone of files and text messages that contain malicious content.
    • If malicious content is found, the sender will get the tombstoned message.
    • If malicious content is found, the recipient(s) will get the tombstoned message.
      slack-tombstone-recipient
  • Alert sender: Sends an email notification to the sender of a file or message that contains malicious content.
  • Alert admin(s): Sends an email notification to the admin(s) about the malicious files and messages.

Configuring Malware Policy

To configure Malware policy:

  1. Click Policy on the left panel of the Avanan portal.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Slack.
  4. From the Choose Security drop-down list, select Malware and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Under Blades, select the threat detection blades required for the policy.
    Note - To select all the blades available for malware detection, enable the All running threat detection blades checkbox.
  7. Configure Actions required from the policy.
    • To tombstone messages, enable the Tombstone Message checkbox.
      Note - This option will be available only in Detect and Remediate protection mode and when URL Reputation threat detection blade is enabled.
    • To tombstone files, enable the Tombstone File checkbox.
      Note - This option will be available only in Detect and Remediate protection mode and when Anti-Malware threat detection blade is enabled.
    • To send email alerts to the sender about malware in messages and files, enable the Alert sender - messages and Alert sender - files checkbox.
    • To send email alerts to admins about malware in messages and files, enable the Alert admin(s) - messages and Alert admin(s) - files checkbox.
      Slack-Alerts-Malware

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  8. Click Save and Apply.

DLP Policy

By default, the DLP policy scans the messages and files for potentially leaked information, such as credit card number and Social Security Number (SSN).

Supported Actions

Slack DLP policy supports these actions:

  • Tombstone of files and text messages that contain sensitive information.
    • If sensitive information is found, the sender will get the tombstoned message.
    • If sensitive information is found, the recipients(s) will get the tombstoned message.
  • Alert sender: Sends an email notification to the sender of a file or message that contains sensitive information.
  • Alert admin(s): Sends an email notification to the admin(s) about the files or messages that contain sensitive information.

Configuring DLP Policy

To configure DLP policy:

  1. Click Policy on the left panel of the Avanan portal.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Slack.
  4. From the Choose Security drop-down list, select DLP and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Under DLP Criteria, select the DLP categories required for the policy.
    For more details about the DLP rules and categories, see DLP Built-in Rules and Categories.
  7. Select the sensitivity level required for the policy.
    • Very high (hit count > 0)
    • High (hit count > 2)
    • Medium (hit count > 5)
    • Low (hit count > 10)
    • Very Low (hit count > 20)
  8. To exclude DLP policy for the messages and files shared only with the internal users, enable the Skip Internal items checkbox.
  9. Configure Actions required from the policy.
    • To tombstone messages, enable the Tombstone Message checkbox.
      Note - This option will be available only when Detect and Remediate protection mode is enabled.
    • To tombstone files, enable the Tombstone File checkbox.
      Note - This option will be available only when Detect and Remediate protection mode is enabled.
    • To send email alerts to the sender about DLP in messages and files, enable the Alert sender - messages and Alert sender - files checkbox.
    • To send email alerts to admins about DLP in messages and files, enable the Alert admin(s) - messages and Alert admin(s) - files checkbox.
      Slack-Alerts-DLP

    Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  10. Click Save and Apply.

Viewing Slack Security Events

Avanan records the Slack detections as security events. The event type depends on the type of policy that created the event. You can handle the security events in different ways, whether they are detected/prevented automatically or discovered by the administrators after not being prevented.

The Events screen shows a detailed view of all the security events.

Slack-Events-page-new