More than 30,000 companies trust Carta to help with their equity management and infrastructure. In order to maintain that trust with thousands of founders, investors, and employees, Carta built a mature security program focused on keeping its customers’ data private and secure.
Meet Vince Parras, who’s been running Security at Carta for more than four years, primarily focused on corporate security and audit. Back in 2020, the security team began to grow quickly alongside business needs. For Vince and team, email was a huge attack surface that needed special attention. The team saw the existing filters from Google as representative of what they’d get from other blockers and wanted more than just another filter that would block a few more emails but still let some through. Vince shared, “Google does good enough when it comes to filtering and we’ve accepted that. We enhance our security further with Material.”
“Google does good enough when it comes to filtering and we’ve accepted that. We enhance our security further with Material.”
Vince had previous experience using Material Security during his time at Cloudera and found he had similar security needs at Carta. The security team moved forward with an evaluation of Material.
Maturing phishing protection
Vince was on a mission to better train his fellow Cartans and prevent phishing incidents while not disturbing their workflows. “We can’t have too many cooks in the kitchen when it comes to email. It’s very tough to bolt on security to a legacy system like email. Employees expect it to just work, and we cannot mess that up,” said Vince.
“We can’t have too many cooks in the kitchen when it comes to email. It’s very tough to bolt on security to a legacy system like email. Employees expect it to just work, and we cannot mess that up.”
Carta’s original phishing workflow involved manual oversight, monitored by two security team members. Triaging phishing emails was likewise challenging.
Vince was familiar with Material’s Phishing Protection solution that could help provide better automation and self-service for his employees. “Automation is key for my team. It’s all about self-service. I want to empower Carta’s employees.” Vince said.
“Automation is key for my team. It’s all about self-service. I want to empower Carta’s employees.”
First, the team ran a POC to see how Material looked in their environment. Here’s how Phishing Protection worked:
- Reporting: When an employee sees a suspicious message, they can click a “report” button directly in the mailbox rather than have to drop a note in Slack.
- Automatic Clustering: Once a message is reported, Material’s technology automatically investigates the message to find similar-looking messages across the organization.
- Remediation: The security team customizes the default remediation that triggers before any manual security review is needed. For example, they can populate a note to employees warning them that they should take caution with that message or quarantine a campaign until security can review.
Vince shared his findings of Phishing Protection: “ Automation has removed any uncertainty around phishing. We have the peace of mind that one Cartan’s report can help protect others automatically. Material just works.”
“Automation has removed any uncertainty around phishing. We have the peace of mind that one Cartan’s report can help protect others automatically. Material just works.”
Once Carta chose Material, setup and implementation was simple and straightforward. Very little human interaction was needed for both initial deployment and ongoing maintenance of the tool. The security team just needed to train Cartans to use the new “report phishing” button to send things to the phishing mailbox. Vince shared how many tools end up increasing your workload with more alerting, needing to build more support workflows, and the help desk getting slammed with questions: “Lots of security tools promise to reduce your workload. Material actually delivers on it.
“Lots of security tools promise to reduce your workload. Material actually delivers on it.”
Now when Cartans report phishing emails, the security team asks “what made this email look suspicious?”. They can then incorporate those findings in ongoing user awareness training, and in the near future, create custom detection rules to prevent phishing emails in the future.
Increased visibility with Material’s data and analytics
The rollout of Material not only improved Carta’s ability to mitigate phishing emails, but the company also gained new insights into a variety of risks with Material’s impressive risk analytics. The team could see who was forwarding sensitive emails externally, how much sensitive content was sitting in employee mailboxes, which business partners carried more risk, MFA status for employees, and more. “Immediately we started seeing data we can take action on to mitigate risk,” Vince said. Carta’s security team could share these reports with the board to give visibility into their current risk state.
“Immediately we started seeing the data we can take action on to mitigate risk.”
One area the team honed in on was third party risk. “It’s extremely important for us to look at our vendors and see their risk profile. We can leverage the dataset that Material provides to make better, more informed decisions about our vendors,” said Vince. Their team could now understand which partners hold the most sensitive content.
Another area of concern was unauthorized apps in use by employees. "Material shows us which apps are at play via the inbound emails from those applications. Material gives us new visibility. By understanding what’s at risk, we can make better decisions overall,” said Vince.
"Material shows us which apps are at play via the inbound emails from those applications. Material gives us new visibility. By understanding what’s at risk, we can make better decisions overall."
Looking forward
Vince has been a key collaborator on future roadmap items with Material.
Material’s Data Platform will allow Carta to dive deeper into the data. Material provides an out-of-the-box data warehouse so that security teams can better understand what is happening with their email. It also allows for internal threat analysis and detection of both attacks and misuse. “The strength of Material is in the data. I look forward to further tapping into the extremely powerful source of information,” shared Vince.
“The strength of Material is in the data. I look forward to further tapping into the extremely powerful source of information.”