.png)
.png)
Material protects your entire cloud workspace–the emails, files, and accounts critical to your business–here’s how we’re building it.
Here’s a thought experiment: would you rather lose your laptop, or your Google Workspace account? For me, it’s not a debate - I would hand over my devices long before my accounts…and I think most would agree. Why?
Because our cloud workspace account represents all of the most critical pieces of our day-to-day lives: communication, files, and identity.
We’ve been saying “identity is the new endpoint,” for over a decade, and it remains true. And to be more specific, our cloud workspace login is now our most important “endpoint.”
This is a big change from when I joined Microsoft over 20 years ago, using on-prem Sharepoint and Office 2003. Today we use far more sophisticated, cloud-based tools that enable productivity and collaboration at a pace and scale we could only imagine back then. And yet, the dramatic shift in how we rely on our email and cloud office tools has been paired with stagnation in how we protect them. Today, as then, the most common protection is filtering of email-based threats.
After 20 years of innovation in how we work, inbound email protection is still necessary, but no longer sufficient. The threat surface of the cloud office is far broader, and has been for quite some time.
Filling the gaps
The modern organizations we work with have consistently communicated the need to treat the cloud workspace as more than just email, and we’ve worked with them to evolve our product offerings in response.
They wanted to secure Google Drive. They wanted to understand sensitive content shared in email. They wanted to find misconfigured or compromised accounts.
We thought those were all great ideas, so we kept adding to our product line.
But as we added functionality and expanded capabilities, it became obvious that just adding features across several disparate SKUs was making our product suite too complicated, and each area unintentionally siloed.
While designing an update to our former Posture Management product, we realized the common thread between all of Material’s product offerings was the familiar pattern of detection and response.
So we set about rebuilding our product to be a unified detection and response platform for the cloud workspace. We’ve had great partners give feedback early on, and with the product generally available now, we’re constantly iterating with customers to improve.
Simplify and add efficiency
Our vision from the start of this evolution was for Material to simplify the work of teams tasked with securing the critical infrastructure that is the cloud workspace. The further we got into the project, the more apparent it was that by covering all relevant risk areas with a single tool, Material could drastically simplify operations and accelerate the security-maturity journey.
One meaningful way Material simplifies SecOps is by allowing teams to deploy and learn one tool. Whether investigating an issue about a malicious email, remediating a sensitive file shared with the wrong people, or revoking the session of a compromised account, the user experience and tools at your disposal are the same. With Material, security teams employ common work tracking with Issue status. They can write custom detections looking for files or messages. They can maintain their posture, monitor and remediate risk, and detect and respond to threats all within the same interface.
Additionally, investigations are faster and have more depth. Say a security analyst found someone forwarding sensitive email externally: a single click lets them pivot to view the files owned by that account. Another click shows the malicious messages they’ve received. One more will reveal every message that account has sent. This flow is native to Material: there is no third-party integration necessary, or custom detections built on a SIEM.
Along with realizing that our product SKUs would be more powerful as a cohesive unit around detection and response, we saw another consistent theme. We discovered over and over that the aspect many of our customers loved the most about our products was, somewhat paradoxically, how little they needed to use our products.
The automations we built into securing emails and files, remediating email threats, and handling user phishing reports made our products set-it-and-forget-it for many critical tasks. We saved our customers’ time and allowed them to scale by automating with confidence. While at the same time always providing the visibility and control to manually investigate and respond and customize workflows to exactly match their use case.
We’ve taken that lesson and applied it across the entire cloud workspace, with a range of automated remediations that make cloud workspace posture management and identity protection as hands-off as a security team wants it to be.
Finding the right level
One challenge underlying this entire effort was the need to find a common framework that fits all these risk areas, from defining Detection types to Issue properties to views of open Issues. We drew inspiration from several areas–some expected, some not so much.
As with just about anyone in the security field these days, we drew inspiration from Wiz, and looked to build foundational components that work everywhere and are able to be extended as needed. We also looked carefully at other interfaces outside of security–Amazon’s product details page, for example. It always feels both custom to the product you’re looking at, but at the same time familiar–even if you’ve never bought a similar product before.
Both examples demonstrate a model we followed: use common elements (Issue status, evidence, response automation) and extend to customize as needed (eg. classifying malicious messages). The result is that every time one of our users investigates an issue, they instantly feel comfortable and familiar, and be able to locate and make use of all the necessary information quickly and easily.
Another challenge was choosing the scope of coverage. Point solutions will claim they have “breadth,” but only within one category like DSPM. That approach misses the point that the cloud workspace is the center of gravity of how your company operates.
Treating Google Workspace or Microsoft 365 as if it was just one of many SaaS apps is a superficial approach. To deal with the modern threats facing email and the cloud workspace–where your emails, files, and accounts are all inextricably linked–you need a solution dedicated to the cloud workspace as a whole. Focusing on a single area without the signals and context from the rest leaves blind spots and opens vulnerabilities. The entire cloud workspace is critical infrastructure, and applying focus and expertise to the entire platform yields comprehensive security that fills the gaps left by point solutions..
The result is a product that addresses the needs of modern security teams looking to scale their impact without scaling hours or dollars.
Looking ahead
As excited as we are about this evolution, it’s only the beginning. We continually build new detections that draw from the visibility we have across the entire cloud workspace, giving our customers visibility and control over risks and threats that no other security tool could even detect. We’re developing more automated remediations and workflows to fix issues without burdening security teams – and without getting in the way of day-to-day work.