“Material Security wrapped up combined with a YubiKey really makes it nearly impossible for any sort of a takeover on a sensitive message that lands in an inbox.”
Strong authentication is something every security professional cares about. We collectively aim to put all of our SaaS applications behind SSO, and to apply MFA on every auth workflow. We rightfully do this to prevent account takeover (ATO) scenarios. As an email account acts as a de facto identity layer to sensitive data and applications, one might expect strong authentication to be prevalent within email providers, but it requires added security tooling. We sat down with Aaron Clukey, Director of Information Security & IT at Alto, to discuss all aspects of email security starting from an “assume breach” perspective, and how Material protects the business from ATO and Insider Risk scenarios.
From legacy SEG to API-Based Email Security
Aaron’s predecessors rightfully made the decision to move off of their prior Secure Email Gateway (SEG) solution to Material. The heavy operational burden, clunky end user experience, and lack of control in the email environment were likely causes to make a switch. From prior experiences dealing with a SEG, Aaron was pleased to come into a better situation with Material as their email security solution. “I've dealt with Proofpoint before,” said Aaron, “and it is a lot of tweaking and management and making sure that it works well for the end users. Material in contrast is, at least for me, very much plug and play. It works well for a very lean team to make sure you're still covering your bases and making sure your email suite is secure.”
Total email protection with Material – phishing, ATO, and data access
Any time a company decides to migrate from a SEG to an API-based email security solution, it’s an opportunity to address the larger attack surface. Aaron recognizes that email accounts are a high value attack vector to protect. “We want to make sure that if an account takeover happens and an attacker gets into an inbox, they are very limited in what they can access,” said Aaron. As an organization that handles sensitive customer and financial data, they are heavy handed with authentication and enforce FIDO2 compliant MFA on all accounts. Material provides the added protection of redacting sensitive data in email messages, so that a valid retrieval requires another layer of step up authentication.
Much like legacy SEG misses the risk within, traditional approaches to Data Loss Prevention (DLP) that rely on outgoing traffic inspection are easy to circumvent. Protecting sensitive data where it lives with strong authentication is much more effective. With a smart containment strategy in place using Material, Aaron and team have added protections for ATO and Insider Risk scenarios that go well beyond the status quo. “We want to make sure that we're protecting the contents of the inbox from the inside as well as protecting against attackers,” said Aaron.
As attackers get more sophisticated using AI to craft highly personalized messages that evade traditional blockers, having layered defenses for inbound email threats is paramount. Aaron and the team at Alto perform periodic phishing simulations using Material to continually train the workforce on what to watch out for. But even before malicious messages reach the user’s inbox, Material detections are catching a lot – from Business Email Compromise (BEC) fraud to fake login pages and more. “Material does a good job on capturing these through their detections,” said Aaron.
Getting more value from your email security solution means more than added protections, it also means less operational burden and less time in triage and investigation. Material is purpose-built to be a force multiplier for incident response teams – or the “Security Guy” like Aaron.
“ I think with any security product, the less dashboards you have to look at every day really helps. Material does a good job in making it a quick and easy in and out to check on something. ‘Okay, we're good, let's go’. I don't spend a lot of time in here as much as I thought I would because the detections are good – it's easy for me to come in and triage and close it out.”
Full Session Transcript
Tell me about your day to day. What is your role at Alto? And what's the overall makeup of the security organization?
We're a pretty lean team. We're in the startup space, on our series B, but that doesn't mean that we shouldn't focus on security. I know there's a lot of initiatives with early stage companies to focus on growth. And while that's still a priority of our organization, we realized that we deal with sensitive information, we deal with financial information – we need to secure our customers.
So I'm the “Security Guy”, the “Janitor”, the guy that's cleaning up messes – officially a Director of Information Security and Technology here at Alto. But we've got a lot of passionate people that help share the responsibility with me – anything from incident response to policy and procedures, it's quite a gamut that I cover here.
Yep. Security guy. Gotta wear a lot of hats. Let's get into email security a little bit. We have a saying here, Material. Which is that your productivity suite isn't just another application. It is critical infrastructure to the business. I mean, effectively it's the system of record for all people, content and communications over all time.
So with that broad surface area, I'd love to hear what is your overall approach to security across Google workspace as your productivity suite? It's in which risk areas are most critical and how do you prioritize some of the protections that you need?
I think with Google Workspace, and really security as a whole especially with the amount of breaches that are coming out every day, I think just having the methodology of assuming breach and protecting what you can through defense in depth. So if something fails, let's make sure it fails safe, and email contains a lot of sensitive material. So we want to make sure that if an account takeover happens and an attacker gets into an inbox, they are very limited in what they can access.
And one of my favorite features in Material is the wrapping itself on sensitive data. So if an instance of customer PII or contracts on our companies or insider information on how our products work is within an inbox, it gets wrapped up. And we're pretty heavy handed with the way that we handle identity – I think it's the entry point. So we enforce FIDO2 compliant MFA – everybody on our team has a YubiKey to limit the man in the middle attacks. We want phishing resistance there.
Material Security wrapped up combined with a YubiKey really makes it nearly impossible for any sort of a takeover on a sensitive message that lands in an inbox.
Yeah, you just really have to assume breach these days. There's just so many ways in. But you also can't discount the once in, I mean, once somebody's in and then it's what is the way out? And that's where all data exfiltration events happen. So I'm glad that you take such a strong handed approach to identity.
Aside from strong authentication, what else does defense in depth mean to you in Google Workspace?
Not just phishing protection, but being cautious around data loss prevention and insider risk as well. People aren't inherently malicious, but they can send out stuff that is sensitive. So we want to make sure that we're protecting the contents of the inbox from the inside as well as protecting against attackers.
We really want to focus on that relationship of informed consent and transparency within our organization – make sure you protect what's in your inbox, but by flagging something as malicious, you're protecting the internal team as well.
And that's the Phishing Herd Immunity piece that Material has built on. It's really impressive and makes people feel involved as an augmented arm of the security team.
Yeah, that's great. That's really smart. I think if you consider the typical approach to phishing and email it's all about outside in, it's all about the outside in and trying to stop attacks. But what about the inside out? I think having those lines, layers of defenses from the inside out, both from a user perspective, but also what can we do to protect the data that's in here?
And I'm glad that you've leveraged Material for that data protection. And, thinking about the whole threat landscape, it's constantly changing, right? So in what ways have you seen email security evolve over the years, both from an attacker perspective, but also from a defender perspective?
I think from an attacker's perspective, they've got no excuse to have a misspelled email now with the advancements in AI and the prompting you can do to generate a malicious email it makes it really harder and blurs the line on what's malicious. An everyday user isn't really going to be paying that much attention to the metadata within an email. So you've got to be really quick to respond to something like that. It looks good enough, right?
Material does a good job on capturing these through their detections – from Dropbox Sign requests to payroll solicitation. I mean, there's a lot you can scrape without having a leak from LinkedIn, CRMs, PitchBook – you can find the team. So ways for attackers to use that and try and get in one way or another. And they've gotten much better at making something that looks believable.
Yeah, it's pretty wild. I mean, with AI, you actually get the worst of both worlds. You get the high volume, but you also get the high personalization, right? And so combating that is pretty intense from a defense perspective. You mentioned the metadata in email – what else do you think are important things to look for in email when you have these more sophisticated, social engineering attacks?
Some of it comes down to trusting the detections that Material has and that they capture a lot of it. But a lot of it is trying to influence your team and provide good guidance on how to identify an email. The concept of phishing campaigns – With Material, if I send out a phishing campaign that's probably too much and too in depth I'll attach like a loom video to it and we'll walk through, ‘okay, here's where the pieces of this email don't make sense, this is where to look through’, and it turns into a learning experience rather than action of – you did wrong by clicking an email. So it's just trying to inform the team through a guided approach that doesn't make them feel stupid for clicking a link.
Yeah, totally. That's a good way to go about it. And if you look at traditional training modules that are pretty heavy handed on that front, they don't really make anybody feel better. And they also don't really protect the organization. Now, we talked a little bit about phishing. Of course, there's more to email security than just phishing.
Curious, which facets of email do you think deserve more attention than what the market typically thinks of today?
Especially within Google Workspace, the lack of focus on the Google groups aspect and securing that as well. There's a lot of ways that the spam filters can bypass the Google groups to land in an end user's inbox. That's one of the big items for me is making sure our Google groups are secure because they're going to be externally accessible. If they're distribution lists that go to a team member.
Yeah, no, that's a really good point. Curious, do you use our posture management reports to tell you a little bit about some of the group settings, group posture?
Yeah, I use the Posture Management quite a bit to check and make sure that we have the right levels of permission set on the Google groups, and it's definitely helpful – because it only takes one instance of not having the right permission set to screw you over.
Yeah, it's all it takes. Great, now I know you inherited Material when you joined the organization. Just curious, do you know of any, maybe the nagging points that led your predecessors to explore alternative API based solutions like Material?
I think we were at a pivotal point where at that time my predecessor, we didn't have an email security suite and so you have two passes like the traditional Secure Email Gateway (SEG) or API suite. I don't know the initial reason why they chose Material, but I'm glad they did.
I've dealt with Proofpoint before, and it is a lot of tweaking and management and making sure that it works well for the end users. Material in contrast is, at least for me, very much plug and play. It works well for a very lean team to make sure you're still covering your bases and making sure your email suite is secure.
And the team that helped with the implementation, which I was a part of did a fantastic job, answered all my questions, really led me through. It wasn't a, ‘hey, here's your product and run with it, we hope you the best’. So it wasn't an instance where we had to call in a contractor to help support setting up a Secure Email Gateway.
It was very thorough. Shout out to Mike Tran – he was a great resource for getting that up and running for us and answering questions too, that are not even necessarily related to Material Security, but input on how we can better improve our security posture. And I think that's the same with a lot of the members of the Material team, which have been really open to my questions outside of just email on like, how can we do X, Y, and Z? And it extends past email when you have such a well built security team. It gives me faith in not just the product, but the team behind it that are actually doing their part to make the corporate security side work well too.
Yeah, that's awesome. In Google land especially, I feel like API-based solutions are table stakes. Like you're just going to, the gateways are just not fit for the cloud operating model and you're going to lose so much.
So, you weren't part of the evaluation, but you were part of the rollout. I'm sure you, as you very quickly discovered, Material does a lot more than what typically falls under the email security umbrella. What were some of your first impressions when you saw how we handle the sensitive data protection, identity protection, and our posture management reports?
The reporting is great. It really helps influence how people are actually retrieving these messages, what's getting locked, what type of messages are getting locked up. It's easier for me to determine what type of content lives in a mailbox and understand the risk there. It’s really user friendly in comparison to Proofpoint. It's easy to look through the access requests, force unlock stats, and just general data protection.
Yeah, it feels like it's an overlooked area of email – we don't typically think of email as a data repository. It's mostly thinking about it from the traffic, and if your data loss prevention is only looking at outgoing traffic. You're bound to A) miss a lot and B) just get flooded with an absurd amount of alerts on ‘person A sensitive message to person B’ like, okay, give me something real here.
So we always feel like trying to control the data where it exists inside the mailboxes is a much more effective way to. We'll prevent the exfiltration but also just have strong authentication on what is really sensitive data. Like you would put strong authentication on any other database inside of your infrastructure organization – email is just another one. So I'm glad you picked up on that pretty quickly.
When you first started using Material, were there any other particular “aha” moments where the value of the product just became crystal clear over alternatives?
I think the approach you guys took with one tenant per customer and letting us own our GCP instance really helps from a compliance perspective, but also reduces the risk of a shared tenancy model with other customers. So, that stands out to me. That's a huge benefit that you guys have.
It's fairly unique in the market. Basically, from day one, we were building the product securely by design. And that single tenancy architecture was one of the key early decisions we made.
Based on the nature of the data that we were handling on behalf of our customers, I mean, it just felt like it was the right way to handle that both from a just security and isolation perspective, but also from a searching perspective, having that data platform where we can take all that historical email data, do some transformations, do some enrichment on it, and just expose that interface for you. It's so much better than trying to search through historical emails through Google or Microsoft or any other kind of archival tool. That architecture matters in that sense.
Talking on the search piece – it's a comparison to Vault and digging through Vault in itself. Like the way that you can use the operators and the custom classifications for finding the mail you want to find is way easier than using Google's bread and butter product. So
And thinking about your use of Material, confidence is key to email security. It's a loaded question, I get that – what is your confidence level with Material where you're comfortable turning on protections and remediations across the organization? Is there any automation you have from a remediation perspective?
I'm pretty confident with the way that the classifications and remediations are in place today. The speedbumps sending to spam are doing a great job. We've not turned on the delete immediately. But I'm just about ready to do that.
I've had maybe one instance of a false positive. And that was a user reporting an Amazon gift card that they actually got from their manager.
So we've done a great job training our employees not to click on Amazon gift cards, but the detections are good – they're capturing 99 percent of it. So yeah, the confidence is high.
That's great, we love to hear that. If it's going to be a false positive, might as well be a gift card at the end of that. That's fantastic. That is, that's a funny one.
We're continually tuning our underlying detection engine – we have an in-house threat research team, obviously our engineering team does a lot of work. We're looking at everything that's coming in across all of our customers. You mentioned a few detection trends over time. Have you noticed any particular attack types that are maybe hitting more frequently than others or the types of messages that users are reporting as suspicious coming in?
Seeing more instances of attackers potentially using evilginx – spin up their own fake Microsoft 365 sign in. I've had several instances over that over the past month or so. With cloud providers like Linode or Digital Ocean or AWS, I mean, it's pretty easy to spin up an instance of evilginx and trick a user that way because they're getting more believable, and there's some really good templates out there that are easily accessible. That's definitely new and has been coming in more frequently, but one of the benefits that we have at the organization is using YubiKeys makes it really difficult for session hijacking as well. So there's less concern there, but still they're putting more effort into, to try and get in.
Yeah, we're seeing a lot of those come in. And I think those fake login pages, like you said, they're getting pretty darn good. It's so the more that we can detect those as they're coming in and prevent them from even hitting the user's mailbox, the better, but also protecting the user's session.
Right. So I think a lot of people forget that your email account is a de facto identity layer for all sorts of downstream systems and applications. And those account takeover scenarios can be fairly dangerous. Now you mentioned SaaS sprawl a little bit earlier. Are you seeing more signup emails or account related emails come in and do you have the protections in place to stop those or apply the speedbump before the users are signing up for services or resetting passwords?
So we do a pretty decent job on securing any SaaS through SSO, enforcing MFA, that way. For the instances where you're hit heavy with the SSO tax, having the wrapper on a password reset for anything that does use conventional username or password or social sign in it is helpful.
Yeah, no doubt that SSO tax though – got to do something about that.
Now, I know you appreciate the Material does more than what is typically considered email security today. We touched on a little bit – what would you say are Material’s most unique capabilities compared to what else you've seen in the market?
I think for me the Phishing Herd Immunity piece – anything that really empowers self service of a user to find a way to be an asset to the team is what stands out. Wrapping up the emails, enforcing MFA on sensitive information, having a way for team members to report something as phishing and for other team members then not to be affected by it is a huge contribution. It's better than tracking down one instance of a phishing request and trying to find that in everybody's inbox. It's extremely helpful and really lowers the incident response time for any phishing link that comes in.
Yeah, no, absolutely. That the Phishing Herd Immunity – really making superheroes out of your organization, and then the case consolidation, similarity matching – just trying to make sure what you need to address, and then try to apply those protections, remediations across the entire workforce versus doing the same thing a thousand times over as they come in. I'm glad to hear that has been helpful for you. Time savings and probably mental health savings as well.
Yes.
Great. We're also here to help make sense of the total threat landscape – we consider the total threat landscape of Google Workspace to be a combination of things. And an email is really more than just the attack method. Email is also an attack vector – it can be used as a pivot point to applications and data. It's an attack target – it's all the sensitive data that exists in email. And we at Material, we try to cover all of that.
So how do you see the value of combining all of Material’s offerings in this realm under a single product suite for you and your team?
I think with any security product, the less dashboards you have to look at every day really helps. Material does a good job in making it a quick and easy in and out to check on something. ‘Okay, we're good, let's go’. I don't spend a lot of time in here as much as I thought I would because the detections are good – it's easy for me to come in and triage and close it out.
That's great. We actually designed the product so you spend the least amount of time in it. That is purposeful. So I'm glad to hear that is the case for you.
In terms of downstream integrations, you mentioned having one place for email. Curious if you're hooking Material into anything using either event subscriptions or using our API.
Yeah. It does a great job of pulling all the data I need when a phishing email is sent and sending it to Slack. I have a centralized resource there and a channel for any security alerts that come in. So it really helps consolidate what I need to look at, what channel I need to go to to make sure we're closing all the gaps.
Great. Love it. Well, I think we covered everything from your security origin story to adopting Material and for all the ways that we've helped you and your team. So I really want to thank you so much for joining us today. It was great hearing about Alto and how we helped you keep the business safe.