Sonos Tunes Into Email Risk Analytics and Cuts Triage Time 98%

What Sonos’ Smart Speakers and Their Email Security Have in Common


  • The security team at Sonos needed an email risk analysis to inform policy and technology decisions.
  • Growing phishing attacks overloaded previous defenses built into the email platform.
  • Risk Analytics provided visibility and rapid mitigation with a few clicks while Data Infrastructure powered deeper custom analysis to inform security decisions.
  • Phishing Herd Immunity cut triage time 98% and increased the security team’s output against phishing.
  • Material's ongoing enhancements and the quality of responses to feedback were a welcome bonus for the Sonos team.

“Material is a lot like my Sonos speakers at home. It just keeps getting better every day since we bought it and the bar on the first day was already very high. Both companies are taking something that people think they understand and completely turning it on its head.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Sonos lives up to its daring vision: “Any song, in any room, always sounding amazing.” The respected pioneer of smart speakers is based in Santa Barbara, CA, and employs 1,500 people worldwide. For Sonos, protecting intellectual property, sensitive data, and employees is a top concern. 

Jesse Johnson is the Senior Manager of Enterprise Security for Sonos. He leads a small team of security engineers, providing powerful insights to focus their efforts on the highest-leverage work. Email security jumped to the top of Jesse's priority list after an onslaught of suspicious messages. The incident revealed that both their built-in and add-on phishing defenses were no longer adequate.

Jesse consistently looks for “tools that are multiplicative or exponential” for the productive output of the team. Material cleared his high bar with Phishing Herd Immunity since it empowered ordinary employees at Sonos to defend the entire company against attacks, and reduced remediation time from 20 minutes to just 20 seconds.  

Sonos uncovered additional opportunities to improve their security beyond boosting immunity to phishing. Their security team wanted more data to prioritize risks and make informed decisions. Material's Risk Analytics and Data Infrastructure capabilities unblocked their access to data. Today, Sonos has more clarity on their email risk landscape and can mitigate the most pressing issues—often with just a few clicks right from the data reports.

Sonos Now Makes Data-Driven Email Security Decisions and Quickly Mitigates Risks

Most organizations lack visibility and control over their entire email footprint. They don’t know which mailboxes have unsafe settings, what sensitive information is lurking in mailbox archives, or who has been part of public data breaches. The Sonos security team, like many other teams, routinely found themselves wishing they had better visibility.

“Normally, getting analytics on email sucks. We were making decisions about email security, but we didn’t have all the data. Material gave us visibility so we can get to the root and solve the problem instead of brute-forcing it. We didn’t know we needed Risk Analytics until we saw it, but now it has become an invaluable part of what we do.” 

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Risk Analytics surfaces risk factors in three key categories: employees’ email accounts, the third-party apps they use, and the external partners they interact with. Jesse routinely monitors these reports. Some examples include the use of IMAP/POP and application-specific passwords (both allow bypassing MFA), sensitive content in mailboxes, and accounts of employees and high-risk partners compromised in data breaches. Jesse’s favorite part? The ability to quickly fix risks he discovers: 

“Mitigating from the risk report is great. I love the ability to disable MFA bypasses and revoke application-specific passwords.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Jesse digs deeper than most people, asking substantive questions and utilizing his technical skills to get answers. This is where Material's Data Infrastructure provided Jesse and the Sonos security team the ability to go above and beyond. For example, Sonos now uses this analytic capability to write custom SQL queries to investigate specific inbound-outbound communication patterns over millions of messages with a high potential for leaks and fraud. 

The Best Response to Large Scale Phishing Attacks? Automation and Internal Crowdsourcing

The need for a different phishing solution became clear when Jesse’s team faced large-scale phishing attacks.

“We had a couple of incidents where we received 5,000 emails in a day. Our phishing solution wasn’t able to hang. We saw attackers try to use stolen credentials against us. Luckily, they were unsuccessful, but we knew we needed to step it up.” 

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

After these attacks, Jesse kicked off a search for a new solution. He looked at the leading email gateways, but “didn’t want inline solutions that could break mail flows.” He also evaluated the native phishing response capabilities of his email platform and found that users rarely reported suspicious emails because the value of reporting wasn’t immediately apparent to them. When users did report messages, the investigations were painful. Limitations in the email platform’s administration tools forced his team to “chip away at the problem a few emails at a time."

“It took 20 minutes to find anything. You had to remember the subject and the sender, but there were no guarantees that you’d find it. If the subject was slightly different, you wouldn’t find other messages. And since there was no fuzzy matching, you had to know exactly what to look for—for example, each of the many bitcoin wallet IDs that attackers may use in a single attack.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Triage Time Reduced 98% With a Collective Phishing Defense Employees Love

Jesse understood that fighting phishing attacks at scale demanded a collective approach:

“I was already looking at ways to encourage people to actively report phishing. I also wanted an easy way to give positive feedback to people.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Material's Phishing Herd Immunity matched Jesse’s vision for active reporting and multiplying his team’s output—and just five weeks after meeting the Material team, Jesse licensed the product for Sonos. A rapid rollout followed to thirty employees, soon followed by about a hundred more. In no time, the entire company was on board with the new response to phishing. 

Phishing Herd Immunity works by ingesting suspicious message reports and building a cluster of similar messages across all employee mailboxes. It then applies an auto-remediation to the cluster, changing them subtly to create “speed bumps” that warn users at exactly the right moment.

Jesse used Material's flexible options for reporting suspicious messages to provide the easiest user experience. To avoid costly retraining, he kept the existing phishing reporting mailing list (now automatically triaged by Material) and activated a feature that allows for more user-friendly reporting just by applying certain labels. 

The Sonos team was able to pump up the volume of employee reporting after Jesse inspired them with the knowledge that a single click on their part can protect the company:

“You can tell users that if you mark an email as suspicious, you can protect the whole company. I can tell this to new hires and current employees. This narrative helps sell (active reporting) into the business. I love that our CEO reports phishing emails. I love that people are involved.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Increased employee reporting resulted in immediate payoffs with visible improvements in Mean Time to Report. The collective approach means Jesse now has far more defenders than he could have ever hired to support his security team:

“It’s a force multiplier. For a company of our size and with the number of security engineers we have, it’s a 50x increase in output.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Sonos slashed the time required for triage by 98%. The combination of role-based access to email administration, powerful search, and automatic clustering of similar messages, simplifies workflow, and saves time:

“Material created a huge reduction in the level of complexity. Triage went from 20 minutes to 20 seconds — just a couple of clicks to deal with a bunch of messages.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos

Sonos and Material: It Just Keeps Getting Better

Jesse is excited by the results of their successful rollout and feels confident about their decision to go with Material. The team’s output is way up, and so is the quality of their decisions. Bonus: Responsiveness and updates from Material based on feedback from Jesse have left him feeling pleasantly surprised: 

“I’m surprised by how quickly Material is able to iterate. There were times when I asked for something during the day and then got the update at 10 PM that night. The updates that I get is what makes me feel like I made the right investment.”

— Jesse Johnson, Sr. Manager of Enterprise Security, Sonos