Compass accelerates phishing remediation while reducing on-call burden

Phishing is a big problem and can feel daunting for security teams. Reports from users come in frequently and security teams race against the clock to respond and remediate. It’s a never-ending battle to secure mailboxes.

Christian Ghigliotty is the Engineering Manager for Application, Product, & Enterprise Security teams at Compass, the largest real estate brokerage in the United States.

When Christian started at Compass, one of his first tasks was to hire a skilled team focused on building a robust security program. Compass operates tens of thousands of mailboxes and Christian says he knew that email was one of the biggest attack vectors the company would face with wire fraud, business email compromise (BEC), “and everything in between”. He wanted to get in front of these types of attacks before they reached Compass customers. 

Compass’ previous processes for responding to and triaging phishing threats were not suitable for scaling as the company grew. There was also a lack of data and insight to effectively understand the threats at play.

Christian was introduced via his network to Material Security, who could help provide better visibility into email as well as solutions to automate phishing incident response and improve data protection. Christian shared, “Prior to Material, there was the ability to block things, but getting the data analysis piece and having the user experience that we’ve seen in Material, that was what was missing.”

Responding to Phishing Threats at Scale

Compass is a fast-growing company, so automation was a top priority for Christian when it came to phishing incident response: “How can we tackle this at scale? How can we measure it better? How can we establish playbooks to respond quickly and effectively?” He wanted his team to deploy an effective, scalable solution so they could “solve the problem the right way”. 

Knowing that Material is trusted by both long established category leaders (like Mars) as well younger fast-growing companies (like Roblox), Compass decided to roll out Material’s Phishing Herd Immunity, a collective defense solution. Material automatically finds similar messages across the organization as an attack unfolds. If one user reports a suspicious message, the rest of the organization is protected immediately.

The security team can set custom remediations, such as educational warning messages or defanging links and attachments. These “speed bumps” help protect other employees from falling victim and give time back to the security team so that a manual security review is no longer immediately necessary upon a user’s report. “Slowing down the attacker gives me more time to respond. Those speed bumps are the things that allow us to breathe at night,” said JJ Agha, CISO at Compass.

Material enables the organization to automate the checks a security analyst would usually need to do manually. “The goal is to reduce mean time to remediation (MTTR) to something that is as scalable as possible. Every time a phishing report comes in, the signal to noise ratio is typically high, so how can we reduce that as a whole?”

By automating the response with Material, Compass saw a reduction in MTTR by almost 40%. The solution is helping Compass run effectively leveraging SOCLess Framework within the Detection Engineering and Response Automation team, without reliance on a full-blown security operation center (SOC).

And with more time back to the security team, Compass could also build against the API and hook into events to run more sophisticated workflows that immediately tied back to success metrics. Christian shared, “Within about six months of deploying Material, we were able to not only automate our response, but also plug that into our on-call metrics to measure the improvements. With Material’s API, we can take a big problem like phishing and break it into bite size chunks to do things in a more advanced way.”

Protecting sensitive data in email

Once phishing response was no longer such a tedious process for the Compass team, they were able to dedicate time to strategic security projects. One project involved data protection within email. “How do you lock down a mailbox so that if someone gets access to it, it's not game over?” shared JJ.

Christian’s team rolled out Material’s Leak Prevention to help solve this problem. Material scans employee mailboxes to find messages deemed sensitive and then adds a layer of authentication to these messages via Compass’ preferred SSO or MFA provider. Once the user requesting access is verified, the message is unlocked directly in the mailbox.

Not only was this a fully unique way to approach the problem, but it was also simple and unobtrusive for users since they were already familiar with using SSO and MFA for other applications internally.

Christian shared, “In the security space, there are a lot of cases where UX improvements would lead to increased adoption for our users to make better decisions. Material’s Leak Prevention offers a unique and really pleasant experience for our employees. It’s a breath of fresh air.”

An ongoing collaboration

Christian and his team developed a “great partnership” with Material’s team, who are collaborative and very receptive to new feature suggestions. He shared, “I’m excited to see the continued evolution of Material’s product so we can leverage more of the automation piece. Material continues to develop great UX and security features, and I can’t wait to watch them continue to grow and eat the world.”