.avif)
When you think about the immediate threat of email, you look at which phishing attacks hit the inbox. When you think about the total risk profile across Microsoft 365, you have to look much further and much deeper. We sat down with Erik Wille, CISO, and Tom Noll, Director of Infrastructure & Service Delivery at Cabinetworks Group, for an illuminating conversation around securing the productivity suite as a whole, and how their team loves Material as their unified toolkit for email threat detection, investigation, and response.
Knowing when it’s time to migrate off your SEG
Cabinetworks Group is the largest privately held cabinet maker in the US, with 19 brands and over 8,000 distributed employees. With such a vast email footprint, securing employee’s mailboxes is critical, but it can’t get in the way of business continuity. For many years, the only tooling available on the market to protect email was a Secure Email Gateway (SEG). But with the move to the cloud operating model, the SEG approach has far too many drawbacks to be effective – you only see email traffic as it happens, the detection rules are only signature-based, and the blocking pattern only gets in the way of people trying to do their job.
As infrastructure experts, both Erik and Tom recognized the need to migrate to an API-based email security solution purpose-built for the cloud operating model. Amidst a changing marketplace, they took a look across their entire security stack to identify where both enhancements and consolidation were possible. As every security team across every industry faces an attack surface greater than their allocated resources, it’s imperative to get the most out of every budget item.
Smartly, as they investigated email security solutions, they took a step back and looked at the larger risk profile. Microsoft 365 is a massive system that forms the backbone of all employee communication and collaboration – as such, it’s a piece of critical infrastructure, and comprehensive security encompasses broad coverage across email, accounts, and data. Because they were going to go through the effort to migrate off of their SEG, they saw little sense to simply get an API-based version of what they already had.
Securing the productivity suite with Material
First impressions in security software matters. It’s why we at Material place so much emphasis on performing a historical look back as a POC function. We always illuminate something that would otherwise have been hard to spot. And when you’ve been working with a legacy SEG for a few years, visibility at depth is quite refreshing, as both Erik and Tom noted early in their evaluation of Material.
Erik and Tom deployed Material alongside their existing tooling with no operational impact. With heightened visibility came efficiency gains that were welcomed across the team – a faster search experience within a single place to investigate email issues was a notable improvement to their previous setup, which often meant running dual investigations in Exchange and their SEG tool. As the email threat landscape continues to evolve, having an adaptable solution like Material enables Erik and Tom to gain confidence that new flavors of attacks are being caught, and that they can dive in to perform in-depth investigations where needed.
As they noted during their evaluation, gaining insights into the risks and behaviors associated with the larger productivity suite were a big part of choosing Material. Where the team saw immediate value is with the ability to correlate risky user settings such as email auto-forwarding with sensitive data access such as HR or Finance information. The protection extends across the organization, which Erik and Tom noted as helpful to raise security awareness as well.
With Material, Cabinetworks Group gained a true partner to address risk across Microsoft 365, and find ways to be a force multiplier for security operations. As we continue our mission at Material to cover the productivity suite, we appreciate our customers who see the bigger picture and help us remain diligent and focused.
“What we saw differently really with Material, and that was as you start to meet the Material team, you start to understand passion for the agility for what they're doing for organizations, and the meaningful impact that they want to have on organizations and the teams that are running the tool to be able to address the risk within their environment and it delivers.”
Full Session Transcript
What is your general approach to security across all of Microsoft 365? Which risk areas do you think are more important than others to cover? And how do you think about prioritization about where to apply protections or where you need specific visibility?
Erik Wille: So it's a broad topic, right? Because as we think about 365, it comprises so many things within the productivity suite. We're talking about collaboration and all the different components. One of our biggest focuses this year was on the technology stack that we had in place and kind of a couple of different lenses:
One is looking at if we are actually utilizing the tools that we have, and two is looking for overlap between the tools. As the security space continues to evolve, you really are starting to see this overlap, and it's interesting as Tom and I have talked about this from an infrastructure and security side. He’s seeing the same thing happen. You think about a Venn diagram. It's almost like an eclipse here as we continue to overlap each other.
And the third [lens] is really looking at some of our tools where maybe they don't meet the test of time – that it was a great decision at the time, but it is time to reevaluate since the marketplace is changing. So we've really been looking at that.
As we apply that to Microsoft 365, that's really what led us to Material and reevaluating the whole email space. To take a step back, I think we would do ourselves a disservice if we looked at it as just focusing on email, right? As I mentioned, 365 is so broad as we get into productivity.
Now we're talking about sensitive data. We're talking about within OneDrive, within different documents, that could be SharePoint, that could be Exchange itself with an email and really starting to focus on what really matters to us, because I think as we look at the phishing space, for a lack of better terms, it's become commodity. There's a lot out there that is focusing on just the phishing component, but there's way more than that. We know at some point a mailbox is going to get popped, somebody is going to lose their credentials. What then? And really focusing on, okay, can we replace some of our partners with somebody that can take care of the ‘what then?’. They can give us a deeper look into, did they have access to sensitive information? What is the actual risk posture or the risk result of an incident to the organization? And that's been a huge move for us rather than looking for point solutions in every area.
That's a great point. We say this a lot at Material, right – your productivity suite, whether it's Microsoft 365 or Google Workspace, isn't just another application, it’s critical infrastructure to the business. And if you look at all the attention and focus that is given to cloud infrastructure, whether it's AWS, Azure or GCP, we just haven't really seen the same level of focus for the productivity suite specifically. It gets lumped in with other SaaS applications, but as you pointed out, it's a much wider, broader attack surface and risk area. I'm just curious, is that statement something you would generally agree with?
Erik Wille: 100% yeah, I think, and we can look at it through the lens that, I loved how you put it on just getting lumped in with the cloud security suite that then you're in back into the game of what I mentioned, you're buying different point solutions based on your perceived risks, and now the inefficiencies continue to grow with swivel chair activity. It was this type of risk. I got to go here. It's this type of risk. I got to go here.
And that's again, back to one of our focus areas. Can we start replacing incumbent partners with those that give a broader lens to what's actually going on within the organization, and this one in moving to Material has been a huge win for us and starting to gain visibility and curb some of the risks within our environment. As we've mentioned, it's a lean team, so efficiency is huge for us and finding those opportunities where you don't necessarily have the ability to add headcount. How can we take what we already have and make them more efficient and really at the same time, empowering our employees spread all over the globe. So you have team members that are out in countries that are, we'll say adversarial to us and still have to allow them to be able to work, understand the risk, what the behavior, and what's going on without creating a lot of friction for them. This has been a huge win for that.
Tom Noll: Yes, it is. Basically, somebody had to be in there babysitting constantly and it's that's not the case with Material. And the other thing that was the incumbent was it was at the gateway level. With Material it not only looks at the emails coming in and going out, but it also goes back and looks at the legacy [of] what was already in your mailbox, which I think is a huge benefit, and I’m very pleased with. I mean you set it up, let it run and only use it whenever you need to search for something.
Erik Wille: Right? Yeah and I think a testament to that is Tom and I were on a call today and talking through something that had gotten into the environment and looking at an email. And as we're going through what tool are you using to look at it? He goes “I'm in Material!” To me, that was huge because typically it would have been we're over in Exchange running rules and anybody [who has] through trying to look at mail flow and run a trace on that, it's brutal. It takes a long time and your ability to more accurately filter to what you're looking for and get details out of it is very little.
That's really important. Security teams and security leaders are strapped for resources constantly. We use this term “alert budget” – how much alert budget do you actually have to work with?
Across every industry, including yours, the threat landscape is obviously very dynamic. In what ways have you seen email security, productivity suite security evolve over the years? And what factors do you think contribute to those changes, both from an attacker perspective and from a defender perspective?
Erik Wille: I think we could all agree that they're changing on the daily. As we look at some of the techniques that are being used, there's a lot of times that we take a step back and go, “Kudos, that was clever. That was really good.” There's almost like an admiration for some of the attempts that come through, so I think finding those partners that have not only the data science teams with the platform that can quickly leverage that is a major part of us being able to keep up with some of those threats is again, a rather small team.
So if it's all incumbent on us to try to figure out those evolving threats, we're going to lose every time, and that's why we look to partner with those that are able to adapt. And that was one of the huge things as we think about agility that led us to Material as well, that what we've seen in the ability to take some of the ideas that we've come up with and build them into the platform and make changes on the fly. I can't say I've seen that before in a company of this size that's had this much success. So that becomes really good that as you think about it from the team's perspective, the additional buy-in that they had that, hey, not only did we move to this platform, but they are listening to us, they're making changes, and making our lives easier. Huge.
Overall, what were some of the contributing factors from moving off of a secure email gateway (SEG) to adopt an API based email security solution?
Erik Wille: I would say the biggest thing for me was visibility. There was probably, for lack of better terms here, a little bit of trepidation because the industry has always been in the SEG model, right? That we've always done the proxy for email, so moving to API was vastly different. But then you start to recognize that the efficiencies and speed gains that you get because of that are massive. One of my first messages to Tom when I joined the Cabinetworks Group team was “I can't get any data from our email provider!” And trying to bubble that up and talk the audit committee through what are the risks that we're seeing and how are we responding to them? I'm completely at a deficit. I have nothing to show them any meaningful data to pull out of that. You feel helpless at that point because the audit committee is looking at you to know how you are protecting the company. What are you doing to move us? But spinning that now and talking the audit committee through, hey, we just made this major move to Material and gained us all of this additional visibility. This speed efficiency on the team has sat really well with them.
Tom Noll: With the other email security, you basically had to look in two places. You had to look at the gateway level, and then you also had to go into Exchange and look at both places. Very seldom now I don't have to go into Exchange because Material is already looking at what is in Exchange.
Erik Wille: To add onto that, if we think about how Exchange was really more just on the technical side. It doesn't give you any data that really ties back to risk and understanding. It really limits your ability to respond to events.
That's exactly right, and when you think about email security on the surface, you think about email as a delivery method and you stop there. If you're treating it like a security, like a perimeter, you're just worried about delivery. But something to think about is email as an attack vector and an attack target with all of the sensitive data. Then it starts to become a much larger problem domain. And again, you're both infrastructure people and you recognize that the job is often a heavy set of disjointed wrangling efforts. And you're not just wrangling attacks. You're wrangling system configurations, user behaviors, you're wrangling all of the data. And if those things are not well-correlated, it's really hard to find anything useful. So I'm glad that you both recognized that and came to the right conclusion.
Erik Wille: Absolutely. Yeah, and to put a bullet point on that as well. I think a big testament to that is that there's a lot of companies out there that will give you the road map and the road map looks great. How often do you actually see a company execute on that road map? And I think that's what we saw differently really with Material, and that was as you start to meet the Material team, you start to understand passion for the agility for what they're doing for organizations, and the meaningful impact that they want to have on organizations and the teams that are running the tool to be able to address the risk within their environment and it delivers.
Good lead into the next question. What were your first impressions as you started engaging with Material, and what were some of the deciding factors in choosing us over alternatives?
Erik Wille: At the end of the day, the team is who is in there on a daily basis. And the biggest thing for them, I'll keep going back to is efficiency. Can I find quickly what I'm trying to get for or best case scenario? I don't have to search for anything because it already got stopped from the get-go, which is great. And that ability and what really won them over is what I was talking about in agility and being able to deploy changes and some of the ideas that they brought to the table that it was amazing going through the POC process. One meeting we bring up an idea and by the next meeting we go, “Oh yeah, here! It's in the dev environment here. Let me show you what we've already been working with and playing with.” That is just, it's a huge benefit to the team and being able to make those tweaks to how we operate on a daily basis.
Tom Noll: What caught my eye is just the amount of information that you can get from the console and what it does compared to what we had used before. Just the mass amount of data that is available to you at your fingertips was very appealing to me.
Erik Wille: Right! I would tell you the look back alone was the ‘aha moment’. The depth of the data is really cool. It's geeking out from a technology standpoint. We've seen that evolution grow that the more telemetry data that we're getting on each of those risks to better understand, here's the criteria that we looked at, here's why it should be flagged as risky, and here's why we stopped it has continued to grow. And it's really insightful into how much, how many different types of attacks there are and how that's evolving in the email space.
Tell us a little bit about what that migration was like and how did you get to the right confidence level where you could turn off your gateway solution?
Tom Noll: Since it is an API, we could run in parallel and didn't really have any issues. And then when we were done with the POC and said, yep, okay. It's time to cut off. It was very easy to do. Very little to no disruption from the end user.
That's great. And let's talk about detections now. Email attacks can come from all sorts of angles and different flavors. Have you noticed any trends in Material in terms of how our detections have evolved over time, how your company is reporting suspicious messages? Anything notable since you've adopted Material on the detection front?
Erik Wille: Yeah. I would say that there's almost a sense of pride from some of our employees and being able to report it. Cause once you report it, then anybody who has got that email, “Yep, hey, somebody else within the organization also reported this. I want to verify that you really want to go to this link, that you know what you're doing.” We know there is no tool out there that is a silver bullet, that's going to be a hundred percent, right? Things are going to get through, so I think having those additional controls is really leveraging the power of all of our team members across the organization to collectively protect us.
What has been your experience working with the Material team, both from an account management perspective and also from a technical support perspective?
Tom Noll: Phenomenal. The willingness to be engaged with us during the whole aspect, whether it was a POC or the actual setup and cut over and all that. It was exceptional. And even after the fact, the follow up asking, “Hey, how's everything going? Is there anything that we can do better?” Just from my standpoint, it's been phenomenal.
Erik Wille: Yeah, very much. The whole onboarding process was very white glove and entertaining all of the questions, walking us through all the different components, walking us through here's what we're seeing other customers do, here's our best practices, here's how you minimize any impact to the organization really helped us.
We've run dedicated sessions with you where we take our data science team, they unpack some in-depth findings across your environment. How have we helped uncover some findings that maybe uncover trends around phishing attacks or trends around sensitive data across your workforce?
Erik Wille: Yeah, so I would actually say that the sensitive data one was a huge one because it actually empowered us to have a conversation with people. As we rolled out MFA past a certain point for some of the sensitive emails. Naturally everybody gravitates [towards] “I'm going to need that email.” Because I think a lot of people look at email as, unfortunately, a storage location, not what it was meant to do, but actually being able to show, “Hey, since we've had this turned on, you've only gone back X number of times. Do you really need that data?” And then I think once you started explaining to them the additional protection that, “Hey, at some point, somebody could get into your mailbox, but because this is now protected, they couldn't get to what matters most within your email” has been a huge kind of light bulb moment for them, helping them understand why we had that change, as well as you think about it, just from a visibility standpoint, that now it's another way I can look at my mailbox for productivity. That if I'm looking for mail that might've had an invoice, or if I'm in HR and I'm looking for something that might've been about an employee, I got to look back that I can now clearly see that, “Hey, this was flagged. This is sensitive. This is what I'm looking for.” So it's helped start to delineate through some of the noise in mailboxes.
In terms of integrations with your security operations center, I’d love to hear a little bit about anything that you have Material hooked into, which Material events you are subscribed to, and how are you responding to any of those as they come into your tooling?
Erik Wille: Yeah. So what's interesting there is every month I go through the team and have 1:1s with them, and one of the questions I had asked them this month was about starting to take some of the alerts in Material and start to port them over to Microsoft Sentinel (as our SIEM) and the resounding answer was, “No, we want them to stay right in Material.”
Why? Because we get all of the telemetry data and it's much easier to find additional data points within Material. They are very content on wanting to work just in this portal because it's just much more intuitive.
Oh, we'd love to hear that! And especially as we start to unify a lot of the risk areas across Microsoft 365, it's good to have a single view into not just email information but account information, sensitive data, and trying to look at things in a more unified fashion. So I'm glad to hear that people like the Material dashboard in that sense.
Erik Wille: Oh, plus there's additional data there that's tough to get in other places. I will say Microsoft does a great job of logging but actually being able to take those logs and parse them together and make them usable is not the easiest thing in the world. And starting to understand that, okay, an email came in, I got the telemetry data about the email, but then I started to understand a mail-forwarding rule or something else was created. I can now start to piece together activity that happened after the email, rather than again, to going back to the swivel chair activity and having to go between all those different portals. So when that's already available to us in one place, there's just not a lot of drive to start hoarding it somewhere else where I got to piece it together again.
What would you say are Material’s most unique capabilities in the market compared to what else you've seen?
Erik Wille: As we take a look at the competition out there is really focused on just the email side. But taking a step back and understanding that email is just one component of the overall collaboration stack, not to diminish email is important, right? That it is still one of the areas where we see the majority of attacks, but we're starting to see those pivot. So starting to look at it from a broader lens, how the different collaboration components play together and being able to apply those rules, the telemetry, the visibility across that entire collaboration stack is a huge market differentiator for us.
That's great to hear. Thank you both so much for your time. This was a fantastic conversation. Now, Eric, I understand you have lots of these conversations because you host a podcast called The Great Security Debate. I'd love to hear just a little bit about what topics you cover.
Erik Wille: Absolutely, yeah! The focus area was taking the learnings that we've had in the boardroom and how do we start to distill those down and break them down to smaller organizations in bite-sized chunks, and being able to number one, better understand security, but to apply them and understand how do I actually curb risk within my organization? There's nothing scripted ahead of time. That as our essay kicks off, it says ‘you're now joining the conversation’ and process, and that's literally what it is. A couple of us jump on video, have a conversation, record it and post it.
Love it. Those are the best conversations to have, and I’m glad we got to have one as a group here today.