Cloudera Cuts Phishing Triage Time By 80% While Building Herd Immunity to Targeted Attacks
- Existing phishing reporting and triage processes were cumbersome, resulting in low reporting and delayed response times.
- Implemented Phishing Herd Immunity, enabling a single employee report to protect the whole company from similar attacks, without requiring security review.
- Reduced phishing triage time by 80%, increased reporting through increased trust, and improved culture of security awareness.
- Reduced risk of sensitive data loss from departing employees by deploying Leak Prevention automatically via Okta Groups.
“The greatest success right now is seeing increased involvement from people across the company. We’ve seen people say that this type of phishing defense is pretty cool. It’s nice to be able to get their thoughts and thank them for proactive behavior.”
In early 2019, US-based software providers Cloudera and Hortonworks completed their merger under the Cloudera name. The security team, led by CIO Eddie Garcia, took on the challenge of protecting the new Cloudera against the growing risk of phishing attacks, data leaks, and other security threats. For the Cloudera security team, email security—especially phishing—is a regular board-level conversation and a lever for building security awareness and participation.
“Our IT and security teams don’t stay silent in the background. We communicate what we are doing and how we can help, and explain what we are doing and why.”
Meet Trevor O’Donovan, Information Security Analyst. It became clear to him that the phishing response tools built into their email platform weren’t cutting it, so his team transformed reporting, remediation, and overall security awareness by revamping their reporting and triage processes. They didn’t just improve their immunity to phishing attacks, but also reduced the risk of sensitive email leaving the company during employee offboarding.
Phishing Herd Immunity Crowdsources Remediation and Boosts Security Awareness
Incomplete Best Practices — When Phishing Training Isn’t Enough
Trevor prioritized investments in user training because many types of attacks (including those that are subtle, targeted, or from trusted addresses) were hard for any automated filters to detect. This meant that employees served as a valuable last line of defense. However, the existing reporting process was so painful that it discouraged employees from reporting at all, and slowed down the security team’s responses. Then Cloudera was hit with the now-infamous gift card scam.
The Cloudera security team introduced phishing training but quickly realized that employees often didn’t internalize the training. Even well-trained users would sometimes slip up during busy, on-the-go moments. And while some users did correctly identify attacks, others fell victim to near-identical ones from similar threat actors. This forced the team into a lengthy manual triage process for every report. It was time for a creative solution.
“We had enough of phishing. It was taking time away from other work. We wanted it automated to get a better handle on it and be more proactive.”
Collective Defense Cuts Response Time and Amazes Employees
Cloudera selected Material for its flexible approach to end-user reporting and novel post-delivery response to suspicious messages. The process was powered by Phishing Herd Immunity, which empowers an individual employee to protect everyone else from similar messages with minimal disruption and without the bottleneck of an investigation. To test it out, the Cloudera team piloted Material with a phishing training campaign that targeted 10% of employees during their Security Awareness Month. When they saw the remarkable results from this initial test, Cloudera standardized their reporting and response on Material. Trevor O’Donovan describes what happened next:
“Material automatically remediated the phishing messages reported by other employees. There was a lot of chatter in Slack about it. People were amazed, and it gave them satisfaction knowing that their reports were acted upon so quickly.”
Cloudera’s security team is now able to provide real-time feedback to employees who report messages, which as Eddie described, “gives employees affirmation that we are doing something about it” and ultimately fosters a culture of security awareness. Today, employees are actively protecting the entire organization from email-based attacks through improved awareness in an ongoing virtuous cycle.
“On average, Material reduced the time required for phishing response by about 80%. That’s definitely a significant shift. And now we can say: we are there, and it’s doing its job, and we trust it.”
Achieving Instant Remediation At Scale with Painless False Positives
Phishing Herd Immunity is effective against suspicious messages that inevitably get through blockers due to the combination of two powerful steps. First, when someone reports a message, Material creates a cluster of similar messages across all mailboxes. Next, it applies an auto-remediation to the cluster, which could be anything from marking messages as spam to subtly modifying them post-delivery to create “speed bumps” that warn users.
For Cloudera, this solution addressed the critical 30-60 minute window when many emails are opened and the security team can’t respond fast enough without massive investments or becoming overwhelmed. Additionally, Material eliminated the repetitive work of investigating each message individually, a time-consuming reality for too many security teams.
“The clustering for us is where it really makes its mark. When I see that there are like 70 emails clustered together in the phishing console, I’m confident and not worried about denying the wrong email.”
Cloudera chose to auto-remediate messages with a warning instead of removing them from mailboxes outright. Not only did this minimize the impact of false positives, but it also trained would-be victims in the case of real attacks. As a result, Cloudera’s employee-powered reporting accuracy improved. Trevor explains, “False positives in reports have reduced. The employees are learning what types of emails to flag.” If and when a reporting mistake happens, the security team can restore messages with a single click.
Leak Prevention Extends Okta To Reduce Data Loss During Offboarding
Cloudera’s security team used Material to identify other risks in the organization. Material’s Risk Analytics revealed that a large amount of sensitive data was sitting in mailboxes, raising concerns about the risk of data misuse—especially during the offboarding process. The team needed a way to protect customer data and intellectual property.
Cloudera implemented Material’s Leak Prevention which redacts sensitive messages in archives and adds a quick extra layer of authentication (Okta Verify in this case) to access them again. This control gives security teams the power to rate-limit suspicious insider activity such as unexpected or unusual access attempts. It also reduces the risk of sensitive data loss via compromised accounts.
“Our team is all about automation. We are always trying to make less work for ourselves.”
Cloudera took things a step further and automatically applied this protection to all current and future offboarding employees. They set up a departing employees Okta group that syncs with Workday and then used Material's built-in support for Okta to enable Leak Prevention for just that group. With this integration, protecting sensitive messages from offboarding employees is fully automated.
Cloudera continues to find additional applications for Material: conducting forensic investigations, removing misdirected emails, understanding SaaS usage to reduce fragmentation, and assessing applications and users with poor password hygiene.
The best part according to Cloudera? Their efforts to secure their organization through technology are also transforming their most important line of defense: their security culture.