Ridesharing Giant Lyft’s Journey to a More Efficient Phishing Response

When Security Analyst Jae Ward took over email security at Lyft a few years ago, the company had to treat each phishing attack—whether launched by a state actor with limitless resources or an individual with unsavory intentions—like a full-scale breach to have a shot at responding in a timely manner.

While Lyft still approaches email and information security with intensity, Material has enabled the security team to decrease operational overhead while enhancing enterprise-wide protection and replacing an underperforming legacy product. Lyft’s security team realized quick value and improved their leverage, in large part, thanks to Material’s fundamental ability to leverage one employee’s phishing report to automatically protect all of their coworkers. What’s more: the entire deployment process to Lyft’s ~8,000 global corporate and partner users happened within a single work week.

According to Jae, “this was legitimately the easiest deployment I've ever had in my life."

Replacing a Legacy Vendor Because it was “Like Shooting a Fly with a Bazooka”

Before Material’s deployment, just keeping tabs on Lyft employee-submitted phishing reports required a lot of the security team’s time and attention. Sketchy emails and links that eluded inline blocking often remained active threats with ample opportunity to encourage clicks from other users. Lyft’s security team also had to manually scroll through Google security logs to decipher or validate threat levels and check their work before issues could be fully resolved—adversely impacting the team’s bandwidth to tackle other corporate security issues. And the fact that Google only kept 90 days of security logs often complicated investigations.

Jae knew a shift had to happen: the old way of manually responding to reports submitted by a growing number of security-minded Lyft employees at all hours and from all corners of the globe wasn’t sustainable. Lyft needed to move to an automated solution that could protect Lyft’s corporate email infrastructure and high-priority targets without disrupting employee workflows.

Unfortunately, Lyft’s first experience bringing on an external partner to tackle enterprise-wide phishing responses left Jae’s team feeling like they were “shooting a fly with a bazooka.” According to Jae, the SOAR platform they initially selected had a bloated feature set that was complex to integrate and customize. It was also massively overpriced for the value they were getting as false positives surfaced and phishing attacks slid through the perimeter.

Lyft’s security team, led by Jae and Head of Security & Privacy Nico Waisman, ended up making the call to explore other options. Specifically, Jae and Nico were looking for a partner that delivered a toolset to substantively deal with the omnipresent phishing threat while leaving Lyft’s security team with the bandwidth to address other, more pressing issues. That meant the tool couldn’t be too heavy-handed, require lots of configuration, or demand ongoing management.

Lyft met with multiple top-tier vendors of the traditional “detect and block” gateway products that have characterized email security for decades. Nico and Jae ultimately selected Material after they quickly validated (in production) the platform's ability to help the company (and the security team) handle phishing attacks of any scale and from every type of threat actor.

“Feature-wise, what impressed me was Material’s approach to email security—they weren’t trying to be some superhero type of program that promises to block everything,” says Jae. “It’s much more pragmatic: Things will get through. How do we protect our users’ data and IP when they do?”

When put into practice, Material immediately helped Lyft boost detection and response times without causing workflow disruption or reinvention, according to Waisman.

Deploying Without A Single Workflow Disruption

Jae’s team began their journey to Material with a short proof-of-concept trial that involved a diverse group of Lyft employees with varying phishing risk profiles. Results were immediate. Material’s value was clear: 40% of Lyft employees clicked phishing emails sent by Jae’s team to test the system before the POC with Material—versus only 25% following it.

With data in hand, Jae and team were ready to proceed with a full rollout on an ambitious timeline. Jae’s central goal was to deploy Material without disrupting Lyft’s email system and with little-to-no impact to user workflows.

“The first thing that grabbed me about Material was how cleanly it integrated with G Suite,” says Jae. “The day we set it up, we were done in an hour and there weren’t any workflow disruptions.”

Lyft began deploying Material by rolling it out to the company’s larger, more sensitive groups—starting with engineering departments and other high value targets. Within a single work week, the security team deployed Material to all 8,000 enterprise and partner accounts at Lyft working directly with Material’s team of security experts throughout.

"The intensity of participation and support that we got during the POC and deployment process made us feel great. It made everything a lot easier,” explains Jae. “It's that very white glove service that a lot of other vendors will try, but they don't have the sustained focus on a single customer—something we continue to receive from Material even after the initial deployment. Material has helped make our job easier versus adding more work to our plate."

"Previously, our security team would jump between this, that, and the other platform to investigate phishing reports and respond to detection alerts. I'd regularly have at least four different windows open to accomplish one task. Whereas with Material, it's a freaking breeze."

Amplifying Lyft’s Established Culture of Security

According to Jae and Nico, Lyft’s culture of involving every employee in information security was amplified by the deployment of Material. The security team continues to provide training courses and mandate an annual ‘InfoSec 101’ course for every individual with a Lyft-associated email account.

Now, thanks to Material, there’s an added layer of security when a vigilant employee reports a potential phishing attack: access to similar emails is “speed-bumped” immediately across the entire Lyft email ecosystem until admins have the opportunity to review and confirm attacks or restore false positives. Instead of just quarantining messages, which would be a headache with false positives, Material leaves a defanged copy of the message in employee mailboxes — that way, Lyft’s security team knows which employees would have fallen for the reported attack. It’s employee phishing training, but with real attacks that made it through the perimeter.

"Material is a one-stop-shop for my security team: We can look at a phishing report, understand who else at Lyft received the sketchy email or link, who clicked it, when it came in, and take away or restore user access,” says Jae. “All in one window pane."

According to Jae and Nico, Lyft’s relationship with Material delivers new levels of email security, data visibility, security team flexibility, and rapid phishing attack response.

To explore what Material can do for your company, request a demo.