“It felt like there was a lot more intelligence we could be getting from email – there are a lot of different aspects that we could be protecting beyond just that one threat detection piece for what was coming into our organization externally.”
Phishing attacks make all the headlines, and in turn, receive the most attention. Rightfully so, however the threat landscape extends well beyond the inbox. When planning out your email security programs and investigating email security solutions, it’s important to look at all the angles. We sat down with Allen Cox, Senior Director of IT & Security at MyFitnessPal, for a lively discussion around which email risk areas to focus on, and how Material covers more ground than his previous solution.
Recognizing there’s more to email security than phishing
MyFitnessPal is the leading nutrition tracking app with a community of over 250 million users. For Allen, leading IT & Security, tracking means something entirely different than counting calories – it means staying ahead of the dynamic threat landscape. As with any high profile consumer app, phishing attacks of all types are constant.
Prior to adopting Material, the tools they had in place to protect email were limited to just inbound email detection. But as Allen smartly recognized, the attack surface is much wider and deeper, and the typical perimeter-based approach simply wouldn’t hold up any longer. As an advocate for the Unix philosophy of doing one thing and doing it well, Allen was mindful in his search to find the right solution that provided more holistic coverage across the total email threat landscape, while also performing well under pressure where it’s needed most – stopping attacks and protecting sensitive data.
In his search, Allen noticed something different about Material than others in the space. “The reason we started looking at Material was primarily because we were trying to find a solution that was attacking more aspects of the threat area with the productivity suite than just purely threat-based phishing.”
Comprehensive email security with Material
Running a POC with Material was seamless for Allen, as the API connection and initial synchronization happens in minutes with no disruption to mail flow. Their previous solution did include managed services to handle phishing reports, which could have been a hard pill to swallow for a team already pushing its limits. But what ended up happening was less burden on triage and investigation because Material was catching more attacks via detections. “The volume of phishing emails caught hasn't gone down, but the number of reports we see from employees, the number of employees who need help figuring out how to report a phishing email has gone down.”
While the swapping of inbound email detections ended up as a net positive, there is more to email risk that Allen looked to Material to help with. A key question to answer is whether we can make email accounts less susceptible to phishing attacks in the first place. Understanding and mitigating the risk of email accounts themselves is something that is unique to Material given the depth of our underlying data platform. Knowing which accounts have the most sensitive data in their mailbox, or which auth flows have potential MFA bypasses, or which users are forwarding email to personal accounts helps strengthen the overall posture of their email productivity suite. The alternative to leveraging a tool like Material with built-in risk reports is trying to navigate the Google Workspace APIs yourself through heavy scripting. “Material had already done the work to pull those APIs together, get that information, and surface it in a way that it was answering our questions as a security team.”
Along with heightened posture and better threat detection, Allen is able to elegantly solve for additional use cases with Material that other email security tools overlook. One such case is how to deal with the sensitive data that exists across employee mailboxes. The typical approach would be to enforce strict data retention policies, deleting emails past a certain time period. That leaves such a mark on business continuity, however, so for a growing tech company, Allen wanted something better. He found Material’s unique method of redacting sensitive email accounts behind a layer of MFA to be the perfect fit – confidential data is safely protected, but also safely retrievable for valid use. Another use case that Allen uses Material for is to block unsanctioned apps by intercepting account-related emails. It’s hard to stay on top of Shadow IT – Material found a clever way to leverage email patterns and apply protections to stay on top of which apps are being used across the organization, preventing unsanctioned apps from spreading.
With Material, Allen found a solid replacement for their previous inbound email security tools. What he also gained was more holistic coverage across the productivity suite – illuminating risk areas, protecting sensitive data behind MFA, and blocking unsanctioned application usage. That’s a win for vendor consolidation and a win for IT & Security operations.
“If I can consolidate that, just have one vendor that I've got a relationship with to address my productivity suite rather than five vendors – like one who's looking at email, one who's looking at Drive, one who's looking at external sharing with partners – it helps reduce that third party risk landscape a little bit. I also think it helps simplify things for your analysts and engineers who are interacting with these tools.”
Full Session Transcript
My favorite place to start here is what is your security origin story?
Yeah, I think my story is similar to some, different than others. I got started through the military. So when I went to college, I majored in chemistry and computer science and did Air Force ROTC. And back in my year group with the officer sessions, everyone who had more than one semester of any sort of computer class put them into this new cyber warfare career field. And I guess I got lucky that it was a career that was interesting to me and that I was good at, and then I had fun with. Now it's a very competitive career field to get into because everyone's really excited to get involved in cybersecurity, and the military is a great way to do it. And I recommend people do that. But that was how I got involved.
I wasn't really interested in doing more of the IT help desk work, I wanted to do more of the red team, blue team, incident response work. And that led to me getting my first assignment in Maryland working with the National Security Agency. I was part of their blue team. I was involved in incident response for government agencies and government contractors, went on to then do some instruction for the Air Force’s cyber warfare schoolhouse, their intermediate training program called the cyber warfare operations course.
From there, I decided to separate from the Air Force just because I was interested in digging a little bit more into my career with incident response and digital forensics. I ended up going to Blizzard Entertainment, where I started out running their incident response program for their security department. Eventually that evolved into being the manager of the global security operations center at Blizzard, that eventually led me to MyFitnessPal. I've been with MyFitnessPal for three years, and I run the security and IT team. So that encompasses our corporate IT, our IT security threat response, and also our application security teams.
Something we say here at Material is that your productivity suite isn't just another application, it's critical infrastructure to your business. What's your overall approach to security across Google Workspace? Which risk areas are more critical and how do you prioritize protections?
I think when you look at the broader organization, a lot of team members take productivity suites for granted because they're just so ubiquitous. Everywhere you work is going to have a productivity suite and then security teams look at them and see something different, especially with email since that's really the ingress point to the organization.
I think with the evolution of Google Drive and other cloud storage techniques, the fact that those documents can get shared externally also changes the severity from an information disclosure perspective. But as far as information ingress, where the outside world is able to at will come in and talk to people in your organization, email still remains the primary surface. And so when I think about securing that, the number one priority is how do we address the external threats that are coming into the organization? And that's going to happen through email.
Then it's a secondary consideration with all of this data that we're storing, whether it be an email, whether it be in Google Drive, that can now be spread elsewhere. People can forward emails outside of the organization. People can share documents outside the organization. So how do we start to triage to identify where that sharing is? In the case of marketing where we're developing a partnership, where may it not be? I'm just sending this to my personal email for convenience so I can work on this on Saturday evening.
Yeah, you bring up a really good point. We all know about email is the way in, right? But what happens once you're in, and then email is also a way out. And then you mentioned Google Drive. With these productivity suites the threat surface is more than just the perimeter – and just looking at stuff coming in is certainly a big component of it, but I'm glad that you consider the accounts that are in there, and of course the data that exists there.
I'd love to talk a little bit about your first impressions of Material. When you found us you came to us first because you weren't satisfied with your existing email security solution. Many people come to Material for that exact reason. Could you describe what were some of the nagging points that led you to explore alternative API based solutions like Material?
The reason we started looking at Material was primarily because we were trying to find a solution that was attacking more aspects of the threat area we were just describing with the productivity suite than just purely threat-based phishing, and the product we were using previously was only really concerned with looking for threat based indicators, trying to block malicious emails that were doing some sort of credential theft or, attachments, those sorts of things.
And it felt like there was a lot more intelligence we could be getting from email – there are a lot of different aspects that we could be protecting beyond just that one threat detection piece for what was coming into our organization externally. And then the remediation – we liked that Material had multiple angles that they were addressing with email security, it wasn't purely just that external threat vector.
I'm glad that you noticed that right, right away. And you evaluated our full offering in depth. Could you describe your POC process, and were there any particular “aha moments” where the value of the product just became crystal clear?
Yeah. Our POC process went really smoothly. It was super easy for us to integrate the product into our environment, even with our existing solution prior to Material still running. We were able to really get a clear idea of the value of the product during that evaluation period.
And I think that something that really stuck out to us was Posture Management as an element of the tool where we had this dashboard for which users had the most sensitive information, which users had the forwarded emails to personal inboxes, which users didn't have them configured correctly – there's a lot of really good context that would be hard to find in Google otherwise. And this may be unique to Google Workspace – customers struggle with a little bit more, is that Google has this information, but a lot of it needs to be accessed via API. It's not something that's exposed in Google's administrative dashboards.
And so we've got these questions as security professionals about what's the overall health of our email environment and Material had already done the work to pull those APIs together, get that information and surface it in a way that it was answering our questions as a security team.
We hear that a lot – this information is technically accessible, but working with the APIs can be cumbersome. We know, we've done the hard work as you mentioned to really get to that depth. But then really trying to find stuff that actually matters and surface that in interesting ways.
I'm curious if any of those Posture Management risk reports illuminated something that would be hard to find otherwise, something that you were then able to take action on that you wouldn't have known about previously.
I think the thing that we found really interesting was accounts that had MFA bypasses the way that Material presented it – but really it was people using legacy email clients to access their work email. And there were other better ways that we could have those individuals accessing their work emails.
And that gave us an opportunity to have those touch points say, ‘Hey, you're using this legacy email client. That maybe isn't ideal for our environment. Here are some other recommendations.’ And we were able to improve the posture that way, and that's something I don't think we would have noticed without Material calling attention to them.
And one of the things that we really try to do now, not just stopping the phishing attacks, but stopping the things that would enable phishing to be successful. And if you think about all the different ways you can use email as a vector, being able to surface some of those configurations, just make some fixes, whether it's some setting over here, or user behaviors, or if I'm forwarding all of my email to a personal Gmail account – some of those things that are a little risky but they actually make a phishing attack more successful. If we can get to some of that stuff ahead of time while also stopping attacks, we feel like we're covering the attack surface a lot better. So I'm glad that you picked up on that very quickly.
I know that your deployment had a few moving parts. You're obviously using Google Workspace. You have Okta as your IDP, but you also were using Duo for MFA. And you touched on it. You deployed us alongside your other tool. Describe your approach to rolling out Material across the organization, and when did you get to a confidence level where you could turn on the protections and remediations across the whole organization?
Us getting to a point where we're able to roll out Material to the organization was pretty straightforward. Like the POC, we were able to just continue using our POC environment, we already had things configured from that initial setup. And from there, we expanded the POC to a pilot group to get a sense of what are the sorts of user issues we might run into? Are there any configuration problems? Are there behaviors we're not sure about? As an example, since Material masks data for sensitive emails that’s older than 30 days, we didn't know whether the multifactor prompts to decrypt that data and view it was persistent across every email, or if it lasted for 10 minutes how, what did that period look like?
If I was a lawyer going through a bunch of contracts, would I have to MFA 15 times in a 30 minute window? So we tried to mess with user experience a little bit, make sure we understood what that was going to feel like. And it was what we expected and behaved well, so no concerns there.
And then over time, you use a lot of our products for different things. You mentioned the data, sensitive data protection and phishing detections, we're constantly tuning our underlying detection engine. And, we have our engineering team, we also have a threat research team. How have you seen Material’s detections, both on email and data protection, trend over time in your environment? Are there in particular attack types or particular types of sensitive data that you're noticing are hitting more frequently than others?
When we switched to Material, one of our concerns was around losing the managed service component of our previous provider. So our previous provider had a phishing managed service where they would review the phishing emails and take remediation action on our behalf. with Material, we were bringing that back in house where we were going to be the ones responding to the phishing emails. And I think we were concerned that we were not prepared for the volume and whether that was going to become a significant operational load. And the good news is it hasn't.
Because Material’s detection engine has been better in most cases. We actually have a reduced number of phishing reports. The volume of phishing emails caught hasn't gone down, but the number of reports we see from users, the number of users who need help figuring out how to report a phishing email has gone down.
So that volume didn't end up increasing, and we haven't really needed the managed service after making the transition. So that's been a very positive thing. And from a trajectory perspective, Material is doing better than our previous tool at preventing the malicious emails from even getting delivered to our employees inboxes.
That's fantastic to hear. User reports are a line of defense, but they shouldn't be the only line of defense. And when humans are the target, if you can do anything to prevent the emails from even reaching their inbox that's what you want to focus on. So I'm really glad to hear that our detections are helping you out in that regard. We’re always trying to save the very precious time of the incident response teams.
We take customer love very seriously here, and I know that you appreciate that Material does more than what is typically considered in the email security category today. What would you say are Material’s most unique capabilities compared to what else you've seen in the market?
I think the first one is locking sensitive information behind MFA in the email body. That's something I did not see prior to Material. The way I had seen prior organizations handle information residing in email is to have increasingly short retention windows – that obviously has business continuity concerns if I'm deleting all email after a year. If I need a contract I signed two years ago because it was a three year agreement and I don't have a copy on my local drive because my computer got updated, but it got deleted from email. Those are not great situations to be in, and it increases the knowledge management burden. And so as a company with a newer workspace, we’ve been hesitant to do a really tight data retention window for email and Material allowed us to solve that problem without doing a lot of data deletion. We were able to say, hey, the sensitive data now has an additional layer of protection around it, and we didn't need to lose that institutional knowledge by doing a short data retention window.
The other thing that was really beneficial for us was intercepting the user's ability to use their work account to sign up for other SaaS applications – so when users receive that email to reset their password or to confirm their email address, that gives us an opportunity to stop a little bit of Shadow IT and, in a smaller company where everyone is moving fast and breaking things, that's all wonderful, but there's also a temptation to just go out and start signing up for things and setting up services and clicking through terms. And we don't always want that as an IT team, don't always want it as a security team introducing additional risk. And so having a tool as part of our email protection suite that's specifically tackling the Shadow IT risk was really exciting, and not something I would have expected from my email security tools – that was a nice surprise.
I'm glad that you highlighted those two specific use cases because they are typically outside of what you'd consider email. But when you think about email as the vector and email as the target, yeah, using your email account, it's your de facto identity – if I gain access to someone else's email account, like the first thing I'm going to do is going to try to reset a bunch of passwords. It's a very easy thing for an attacker to do to spread their reach. So just getting that layer of protection on the accounts, but also to be able to just block things, right? It's just a hard thing to do to block, signups without getting in the way of the entire protocol of email, right?
And so, I'm glad that you were able to pick up on that and help the Shadow IT scenarios. Glad that those two things jumped out at you because they are unique – we think unique to Material and unique in the email security space.
In that spirit, Material has a bunch of different products that think about the whole email security landscape. How do you see the value of Material combining all of those offerings under a single product suite?
I think the value of combining all of these offerings into a single tool suite is first of all, it helps reduce tool sprawl kind of an inherent issue, inherent tension with security tooling. You want things that do what they purport to do well. And in a Unix methodology, they do one thing really well. And you want that from your tooling, but also when you introduce security tools, especially SaaS based security tools, you're introducing a lot of risk, you've now got a third party who has a lot of access, whether it's read only access or not to all of your sensitive data.
And like we talked about, our productivity suite has a lot of sensitive data. And so if I can consolidate that, just have one vendor that I've got a relationship with to address my productivity suite rather than five vendors – like one who's looking at email, one who's looking at Drive, one who's looking at external sharing with partners – it helps reduce that third party risk landscape a little bit. I also think it helps simplify things for your analysts and engineers who are interacting with these tools. My team does a lot of automation with low code automation solutions. We use Tines, who I know Material has partnered with in the past. And so having access to Material’s API and being able to automate some functions is also very helpful for us. And so if that's all consolidated in one place, it simplifies the learning that has to happen and the amount of process development we need to do as we start to automate and access the information that Material is surfacing.
Yeah, it's an interesting topic. Basically validating our market positioning, which is something we love to hear. So that's great. Yeah, you mentioned Tines – great partner of ours. We have a lot of customers using Material with Tines – I'd love to hear which events you're funneling down to Tines and how you're using that as part of your incident response workflows.
We do all of our alerting through Tines as a centralized alerting pipeline. And so we're able to pull events of interest directly from Material and then filter them through our case management and any additional processing and enrichment that we do. And then we have ChatOps on the back end for Slack. And that allows us to just really pay attention to Slack as our primary source of truth for what's hot at any given moment and triage from there. And that avoids having the 15 tabs or whatever open where we're just circling through throughout the day on what's on fire today. And so being able to centralize that is really helpful. And that's something we, when we go look at vendors and start about when we talk about acquiring new tools, do you have an API? Is that something we're going to be able to access is usually one of the first questions we ask. And it's usually a big concern for us if vendors don't have an API that's successful to us because our entire workflow is really dependent on having that API access.
I think in incident response, we've always heard about trying to combat alert fatigue, but something that we think about is more in the context of fitting your alert budget. How do you think about alert budget across all of your risk, systems, and data and how's that all coming in? And what are you looking for in tools to fit in with what your team is capable of responding to in timely, effective manners?
When we're looking at alerts and alert fatigue, the first thing that I'm most interested in looking at is what's high value and what's not. And sometimes you hear this in the true positive, false positive discussion. And I don't necessarily love that terminology simply because it gets misused sometimes because things can be true positives that are not really malicious or of interest, they're not valuable. So I guess what's more of a high value alert versus a low value alert and starting to measure that – and that's one of the advantages of having a unified alerting pipeline. If you've got all of your alerts coming into the same pipeline and you respond to them in a similar way, that gives you an opportunity to capture a metric on – was this something that somebody needed to look at? Was it not? Then you can start to filter out – these are our high value alerts coming from high value systems, these are the ones where we want to wake people up in the middle of the night, we need to respond to this ASAP… versus this is just maybe an interesting threat hunting lead, maybe it's an alert or a detection that we need to do a little bit of cleanup on to make sure it's not quite as noisy. Maybe there's just some bad behavior that we're seeing from certain developers. Who knows? It could just be more informational, but being able to parse out those high volume alerts versus low volume alerts is important.
Yeah I love that framing. And if your incident response team is just a dumping ground for informational alerts, you're obviously wasting that team's talent. And if you can put more emphasis on the higher value, more critical issues then, – but it's easier said than done. How do you know what's informational?
Something we think about a lot about at Material is these toxic combinations. There’s a lot of informational stuff you can gather from Google Workspace – but when you start to combine some of these signals, whether it's the attacks coming in from email, the posture of a email account, to the level of access they have to downstream systems and applications, you can start to put these things together.
We’re starting to correlate a lot of these signals that we see because we've done the hard work of getting to the depth at the platform level, we can start to take some of those Posture Management reports and tie some of those things together and show you the things that are a lot more critical and timely as a a single list of issues based on a bunch of different detections that span the entire productivity suite.
Yep. And I think one of my senior security engineers likes to say that context is king. And I think that's what you're hitting at there is the more context you can provide upfront with an alert inherently, the more valuable the alert is going to become.