Color cuts phishing investigation time by 97%

A fast-growing healthcare startup, Color needed to find new ways to automate and speed up security processes while maintaining a strong security posture. Meet Alex Bynum, Information Security Manager at Color. His focus was to streamline the lifecycle of phishing investigations.

Phishing reporting, investigation, and triage was a “really tedious process” at Color. The security team trained employees to report messages by forwarding suspicious messages to a specific security mailbox. The message then would be ingested by their ticketing system. The security team would be alerted to review the individual message. They would then need to manually look for similar messages if they determined the message required mitigation. Alex also shared that there were various ways for users to report phishing outside of the specified process, which meant the security team did not know what they were missing without actively checking for alerts in the Alert Center.

Color’s team needed a simple solution for its users. “We can’t get in the way, as a security team. We really needed a low friction solution to any protections rolled out.” Color’s CISO, Lisa Hall, had previously worked with Material Security at PagerDuty, and recommended the team evaluate Material.

Speeding up phishing investigations with Material

The security team first evaluated Material’s Phishing Herd Immunity feature. This technology enables one user’s report to protect their colleagues in the organization automatically. Material does this by finding and clustering all similar messages into a single case. Before any review, a warning is automatically applied to the case of messages. Upon inspection, the security team can override the remediation to block links and attachments or restore the messages. Whether employees forward a message, mark it as suspicious, or mark it as phishing directly in Google, the security team is notified in a single place. Alex said, “I’m now at ease that we’re not missing any [phishing] reports. Instead of just one entry method that was a bit complex, there are now loads of easy ways for users to report and for us to receive it,” he added.

Message search capabilities also helped Color’s team in investigations. For example, when an employee reports something suspicious to a Slack channel, the security team can easily search for and find the message and mark it suspicious to trigger the usual workflow. The whole investigation process took a lot of time previously, and Alex didn’t feel confident that the attacker would not get to them again. Playing whac-a-mole was just not an option. “When doing phishing triage manually, it felt like I was just patching up leaks, but my ship was still sinking. Blocking a single domain isn’t enough. The fact that Material looks for other similarities is super helpful,” he said.

Within the first week of using Material, the team saw significant results from the new automation. “It used to take me 20-30 mins to investigate a single phishing email. Today I received 5 or 6 phishing emails and spent only 2-5 minutes in Material.” The team can now move faster, has more bandwidth, and is less stressed (even with more phishing reports coming in).

The reporting from Material was also beneficial in showing the value that the security team brings. “When the executives and employee base see that we triaged 50 cases, they know we’re working to keep the business safe. It makes us look really good internally,” Alex shared.

Email retention vs deletion 

Material also helped Color's team with securing sensitive information in mailboxes. Material's Risk Analytics revealed which accounts held sensitive content during the evaluation. "We didn't have a good grip on understanding what sensitive emails lived in mailboxes before Material," Alex said. Previously they had looked at putting retention time on emails. Every 3-6 months, the security team would delete all emails to avoid holding the risk in mailboxes. As one can imagine, users were not happy when they couldn't access older emails.

The Color team implemented Material’s Leak Prevention feature to enable productivity while maintaining security. Here’s how it works: 

1. Material finds sensitive messages in Color’s employee mailboxes. 
2. Material waits and then redacts old sensitive messages in Color’s employee mailboxes.
3. When a Color employee wants to access a sensitive message, they simply verify themselves with their existing identity provider.
4. Once employee verification is successful, the user is redirected to the restored message within their mailbox.

Color no longer needs to delete emails. Sensitive messages are kept safe regardless of how someone unauthorized gets into a mailbox. CISO Lisa Hall shared her excitement, “Leak Prevention was huge for us. We can still access sensitive emails while keeping them protected from unwanted eyes. It has that extra layer of protection.” Additionally, Lisa and Alex were happy that this allowed the security team to remain “cool” because they weren’t forcing deletion on their users.

A supportive and smooth rollout

The Color team also shared their experience with the rollout and deployment: “The Material team was super helpful in getting us up and running. Unlike other vendors, they weren’t rushing things and checked to ensure everything worked properly. I wish all my other vendors were like this.” During the evaluation, the IT and Security teams could easily test it out themselves while keeping the rest of the organization out of scope. Flexibility in the evaluation and deployment of the product was key.

When asked about future plans with Material, Alex said, “I’m excited to partner with Material to continue making things better. I appreciate that their team asks for continuous feedback. I’m excited to provide feedback where I can and partner together.”