Risky Business - Risky Biz Soap Box: Why o365 and Google Workspace are a security liability
Episode Date: November 15, 2023In this Soap Box podcast Patrick Gray talks to Material Security’s CEO and co-founder Abhishek Agrawal about the security problems inherent to modern productivity suit...es. Does it make sense that threat actors can authenticate to o365 and Workspace accounts and clean them out entirely? Years of mail, years of files? Material Security has built a product that tackles this issue. It can lock up email archives behind MFA challenges, redact PII from inboxes, better control files share via Google Drive and OneDrive, and just generally limit the damage a threat actor can inflict when they compromise a cloud productivity account. Even if you’re not interested in buying a product to tackle this, we think this one is a great listen.
Transcript
Discussion (0)
Hey everyone and welcome to this special Soapbox edition of the Risky Business Podcast.
My name's Patrick Gray.
And if you're a new listener, this is not the regular weekly Risky Business show.
Scroll back in the Risky Business Podcast feed to find one of the numbered editions.
That is the weekly show.
These Soapbox podcasts are different.
They're an entirely sponsored thing, which means everyone you hear in one of these editions paid to be here.
And really what they are is a chance for our sponsors to talk about what they're doing,
the way they see the world, so on and so forth. And yeah, today's Soapbox is a really,
really interesting one, actually. We're chatting with Abhishek Agrawal of Material Security.
And Material has been a sponsor for years now, a sponsor of this show. And I always thought their tech was cool, but I did wonder if the market would embrace it, right? But I don't wonder about
that anymore because the threat environment has really shifted over the last few years and
Material makes the perfect solution for some of today's
big challenges and they're the only one as far as i know that that does this right so a little bit
about the company they make a product that controls your user 0365 and google workspace accounts
via microsoft and google's apis so material can do things like lock up your user's inbox archives and impose an
MFA challenge on them when they want to read old email, for example, right? So you can just have a
blanket rule that says anything older than three months, archive it. If a user wants to access it,
they need to MFA. And this is obviously really useful because if a threat actor gets into that
mailbox, they can only get, you know, they can only exfiltrate three months worth of mail.
So, you know, it could do other things too.
It can auto-reject PII from mailboxes,
which is an incredibly useful feature.
And it can even do things like lock up password,
reset emails behind MFA.
So if someone accesses a user mailbox
and they're trying to reset other accounts,
you know, using email reset, like that just won't
work. So, you know, all in all, very useful stuff, right? Now that we live in a very cloud, cloud,
cloud world. So yeah, the whole point is if a threat actor manages to access one of your users
cloud productivity accounts, they can't really exfiltrate anything too sensitive. And they're
much more limited in what they can do. And you're much more likely to catch them. The Storm 0558 campaign against the US government recently is a great
example of where this product can help. And these days materials bells and whistles aren't just being
applied to email. Google Drive and Microsoft OneDrive are the file sharing servers of the 2020s
and the major platforms have done a pretty bad job let's
be frank of putting suitable controls on them granular controls and material is solving that
problem as well so ultimately you know what is material security i mean they started off saying
you know we're an email security company but not like that uh was was the best they could sort of
come up with back in the day uh but I guess really what I'd describe them as
is a control and authentication layer
built for the modern cloud-based productivity suites.
And yeah, it sure does solve a lot of problems.
So here's Materials co-founder and CEO, Abhishek Agrawal,
with a chat about Materials Security's view of the world.
I hope you enjoy it.
Whether it's for planning purposes
or whether it's just to think about strategy, I think in
security, a lot of the leadership often has this definition of kind of critical infrastructure,
right? So like, what is our critical infrastructure? What is the thing that we
absolutely need to make sure like we safeguard? And I think, you know, things that come to mind,
obviously like your endpoints, like your networks, anything you're running in the cloud yourself.
But one thing that we've been talking about with them is it's actually also your cloud office.
And by that, I mean your productivity suite is critical infrastructure because it's where all your content lives, where all your employees do everything they do, where your customers interact with you.
It serves as identity to your point often and is the thing that you then use to log into your cloud infrastructure. And so it's not really... Well, what is it they say that we used to roll our
eyes at and have realized is true, which is identity is kind of the new perimeter, right?
Yeah, that's right. I think it is true. I mean, I think that's actually fair. I think part of that that like, was eye rolling is like, okay, why are we even still talking about per these other areas, you kind of do expect, you know, one or two products that like really supplement the kind of security.
So like, for example, in your cloud infrastructure, you know, there's like the whizzes and the laceworks of the world.
But when it comes to the productivity suite, for some reason, we've kind of expected a bunch of different like point solutions for different problems. Like, for example, you'll have like something for email, which is different from like, you
know, you're like maybe your DLP for other parts of the productivity suite.
And, you know, I think a lot of the conversation has been kind of hinting at the fact that
like maybe there's an opportunity to actually consolidate some of that.
If you think of like your productivity suite as critical infrastructure in the same way that these other things are then like it makes sense that you
kind of lean on one platform to to help secure it and all that i mean all of the same kind of
analogies apply right so like for example like you have like really rich apis into these things and
you can kind of focus and and the other thing that's kind of interesting is the, we often
talk about sort of SaaS security, but I think that has one problem, which is it sort of assumes that
all SaaS is created equal. And like, and the fact is like, that's just not true. Like you have some
pieces of SaaS that are like disproportionately like can carry the risk versus others. And
I think there's this assumption like, oh, okay, if I'm going to do
like SaaS security, maybe I can like cover everything. But in reality, what ends up
happening is you get things that are kind of like a mile wide and an inch deep, right? Because like,
if you're trying to do such a broad sort of set of problems, what you do is like maybe give like
basic coverage on each of them. But I, but you know, like a lot of the vision of material is
starting to shift towards a point where we're like, actually, there's one piece of SaaS that we think is more important than every other piece of SaaS you own.
It's the very first thing you provision for any employee in your company.
And it's your productivity suite.
And hence, because that one piece of SaaS is so much more important than every other piece of SaaS, it kind of deserves focus, right?
It deserves attention.
It deserves going deep on.
I mean, I hear what you're saying.
Instead of trying to take
some sort of generic SaaS security solution
that's trying to cover everything
or something that's trying to do it
through identity security or whatever,
like actually carve off the productivity stuff,
treat it as its own problem,
put it in its own infrastructure
and just do it that way. I'm curious too, just it occurred its own problem, put it in its own infrastructure and, you know, just do it that
way. I'm curious too, just, you know, it occurred to me that, you know, this Storm 0558 attack,
right? Where someone stole a signing key from Microsoft and that enabled people to like,
you know, attackers to mint tokens that would get them into mailboxes.
How would that work in a material scenario?
I mean, would you still be toast in that scenario
even if you're a material customer?
I mean, in some senses you wouldn't be
because like a lot of your, you know,
you've got a lot of restrictions on,
you can't dump someone's entire mailbox with material,
right, so that's a big thing.
But that initial access step still would have worked, right?
The initial access step would have absolutely still worked, but that's kind of that's kind of the that's the whole point of the company right yeah which is
that if your inbox gets uh gets compromised the blast radius is limited yeah we're actually not
trying to stop the initial access because the assumption is like there's so many different
paths to access that trying to stop each one is kind of like not a winning strategy.
On the other hand, though, in that attack,
the goal of the attack was to do surveillance, reconnaissance, and look at past correspondence.
And what Material does, as you know, is it redacts those messages.
They're straight up not in the mailbox.
They're in another piece of cloud infrastructure
that the customer controls.
And so it's exactly the scenario that Material is designed for, which is like anything in your
archive that would have been in plain text that someone who guts in can just dump. Now, when they
dump the mailbox, they just get a bunch of HTML stubs that are pointers to the original content.
But to dereference the pointer, you need to pass a challenge that becomes harder to pass, right?
Or at least pass it over and over and over.
I actually think that was, there's a theme, right?
So there's like SolarWinds, there's Hafnium, and then there's this most recent one.
And in each case, it was an email breach.
And in each case, the vector, the entry point had nothing to do with email.
So it kind of, you know, what we've been kind of saying for a while is like email security has for a long time been obsessed with email as a vector, which is how do I stop bad emails
from coming in?
Because there's such an effective way to get an entry point in the phishing or whatever.
But it really has ignored the fact
that email is also the target.
And so it's almost like the marketing is hurting us here
because we call it email security,
and that's supposed to mean secure email,
both as a vector and the target.
It's supposed to mean it doesn't have malware in it.
I mean, that's the definition that we settled on,
you know, is, oh, well, it's got no phishing links in it or, you know, malware laced PDFs or bad macros, you know,
that's the definition we move towards. And which is why it was interesting when I first signed
you as a sponsor, being able to talk, well, okay, this is different. This isn't
Mimecast or Proofpoint. Like this is something else.
Yeah. Yeah. Yeah. And I, and what I'm saying is like, so if email security, we, the definition we settled on is it means there's no malware.
That's fine. What do we, what do we call the thing that is trying to secure the content inside the
mailboxes? Like, what's that? That because that's security for your email, you know what I mean?
It's like securing the content of your email. And, and it's, it's, it's really interesting because
I think there's been such an obsession with that entry point and just's it's it's really interesting because uh i think there's been such an obsession
with that entry point and just defining it that way which by the way is a direct result of how
the tech used to work right if in the past when you had email as a uh running on an on-premise
server the only thing you could really do to secure it was uh look at email on the way in and
out through an appliance
like yeah because quite often it would be it would be an endpoint client would pull the email and it
would be deleted from the server it wouldn't even be retained there i mean depending on the industry
like law firms would retain stuff and whatever but most people just deliver it to the client and
see you later and even the clients uh or even when there were cloud services sorry the mailbox sizes
used to be tiny right like it was like five megabytes of fine.
I remember it was 20 years ago when Gmail launched
and the whole shtick for Gmail,
the thing that made Gmail popular
and G was a double play, right?
For Google and also because they gave you
one whole gigabyte of storage.
Exactly, exactly, exactly.
Because this is back in the day
when Hotmail gave you 20 or 40 megabytes. That exactly right people you know young folks listening to this might not
remember but yeah you would not really have any space and it was a major pain right and because
you didn't have any and because you didn't have any space you couldn't archive anything you like
meticulously deleted things that didn't matter you had to spend time curating your mail storage right and that's the problem that that you know i mean really we can blame google for
all of this because they came along and said you can treat email as something you can keep forever
right exactly here's a whole gigabyte right right and i think when they said it's a whole gigabyte
and they said you can treat email as something you can keep forever in that moment email went from being just a messaging protocol to a content repository
to a file repository right and i think what we all missed in security was like oh well okay if
it's now become a file repository maybe i should apply like all of the paradigms for file repository
security to this thing and instead of just the messaging,
like network protocol security, like, you know, abstractions that we're used to. So,
and that's, and we're still living in that world, like the file repository gets keeps getting bigger
and bigger and bigger. But all of the email security we have is all about just the messaging
protocol, it's not really related to the actual content in the middle. Anyways, that's what spurred us to thinking about material.
And actually, like, you know, it was actually, if you remember, it was the John Podesta hack that...
Yeah, I was actually going to mention this.
I mean, that was the inspiration behind material, which is like to limit the damage from compromised inboxes.
And it is something where, you know, a part of me, I'm going to be frank, thought, is that a worthwhile premise for an entire company?
And then we look at, you know, like I mentioned the Storm 0558 stuff just now.
And we've been doing a lot of work on that.
And in that case, email inboxes and their contents were absolutely the targets.
They weren't trying to leverage that access and oauth into sas
services or reset as your credentials no yeah they wanted the inboxes they hit 10 inboxes the state
department took 60 000 emails god knows how many else from other uh affected uh u.s government
departments but yeah i mean this is this is you were ahead i think on this a little yeah and
the reason that's funny is because we were actually having this conversation before we got going about the merits of being too early versus being too late.
No, 100%.
I mean, I think that absolutely applies to company building and the kind of product strategy you adopt. adopt because it's the difference between operating in an existing market and building
something better there, which can be, you know, a higher velocity of getting going because
your people are familiar with the problem and you're just giving them something that's
like better, faster, cheaper, whatever.
But it's like an incremental improvement versus you're trying to reframe an entire problem
like that.
That takes time.
You have to show folks like one step at a time. And also a lot of this just wasn't possible. So I think it's, it's not like this
insight was not had before to your point, you know, like mail spools used to get dropped and
like that was bad a while ago too, but you couldn't do much about it. The thing that like really
made us excited to tackle this was like the, the cloud's email services you also got these awesome
rich apis and that those apis are what actually made some of these like techniques possible and
it goes back to the point we were talking about uh earlier which is like if you focus on one app
or two apps versus trying to do like 20 apps uh because you're trying to do sas security for all
of them then you can actually go deep.
You can use these APIs to do crazy, clever things and actually protect the contents.
But if email or my productivity suite was one of 50 SaaS apps that I was trying to secure,
yeah, I'd give you some basic reporting, like which ones support MFA or don't, are they all SSO enabled? I know, I'd give you some like, kind of like surface level
security posture on all of them. Well, and then you too could have an $11 gigajillion market,
you know, valuation, right? Just by doing that. Right, right, right, right. So like, I think
that's fair. That's fair. But I think like, you know, if you actually want to solve the problem,
which we do, then I think you have be uh willing to go a little deep um
but having said all of that uh i also agree with your initial skepticism of like hey is this
actually like you know whether it's a whole company or not that that's kind of almost
hang on and this this gets into the definition thing as well because you're like well we're an
email security company and like where i eventually got to with thinking about material and what you are is that you're a provider of cloud email
that's suitable for enterprise and when you okay that might not make sense but then when you say
hang on microsoft and google's cloud mail isn't fit for enterprise use.
Then you go, oh, okay, now it makes sense.
Because they're not really.
When you think about the, you know,
how bad they are at limiting damage
in the event of a compromised mailbox,
like the sort of stuff you've built, in my view,
should probably be standard features in, you know,
enterprise web. And this is know totally and this is well
this is the thing that i think is really interesting about security uh because by definition
every security product out there you could argue that the platform that it helps secure should have
just had that security inside it right like that that is just always a recurring theme um and yet
there's always kind of needs to supplement. And it's not
even just like, oh, I want like a better version of what I would have gotten bundled or like I
want best of breed. It's literally just like layers help. Right. And so I think of it that way.
But what I was going to say is that, you know, whether it's a whole company or not, I don't know,
but certainly it's not enough to kind of address the problem on its own. Like that's just one
feature. Like, okay, cool. Like there's one threat model that you helped with, which is
someone gets into a mailbox or an insider has access to a mailbox and is trying to, you know,
retrieve content. Sure. You helped block that. But I think that no one could kind of argue that that
encompasses like all of the difficulties that you have with like your productivity suite or even just the email app. And so over time, I think where the company has evolved is one covering
more bases that are related to email, but actually then going even beyond that and saying, hey,
the productivity suite, like what can we do there? Right. So like why stop at email? Like these exact
same problems apply to files for example and well
to docs and to sheets and all of that i mean everyone listening can tell that we're a google
workspace shop but i mean that's where all of our business information lives you know exactly we we
plan we plan all of our sponsorship activities in sheets and you know i i'm do a lot of writing
obviously in docs and yeah so how do you begin chipping away?
Sorry, I was going to say, yeah,
the data that you generate as a business,
your IP, everything from your customer agreements,
I mean, it's like, again, it's in this productivity suite,
whether it's in Google Drive, OneDrive.
Look, it's your SMB file share for the modern age, right?
It is your Windows file share server for the modern age.
Exactly, exactly, exactly.
And so we can chip away at that in the same ways, right?
You can use the same techniques.
Like those things also have really rich APIs against them.
So for example, first you can use the APIs
to gain a lot of visibility into what's going on,
which is often really, really hard in these kind of like,
like I talked to a customer, can't name which one,
but they had like petabytes of Google Drive, you know, usage.
And they actually were like-
Does anyone who's not Google have petabytes of usage of Google Drive?
Well, you'd be surprised.
I was certainly surprised to hear that.
And they were like, you know, we're actually, one of the things we're trying to figure out
is like how much storage we even use because like google can't help us answer that anyway but like these things have really rich apis and you can kind of start getting visibility into
i mean for drive for example a common question is like you know what are the apples on all of
my files which ones have sensitive content like do i have anything that's just sitting open and
this brings us all the way back to the conversation you were having earlier, which is
like, we are so obsessed with like a VM that is open to the internet running inside our cloud
infrastructure. Like we're so obsessed with that. It's like, oh, it's like every time it's an S3
bucket or a VM that was open and gets like used as an entry point. But like, but what about like
the file that's just like anyone with the link permissions and like has been part of some like
data dump and has sensitive content in it. Like it the same exact problem right it's the same kind of all of the same uh
well i mean every time and i know this you know from using these sorts of services myself is
anytime i'm emailing a document to some non-workspace user i have to set those open
permissions anyone with a link can open that file you know and people are just so used to
clicking yeah whatever yeah and it's the same kind of problems which is like well are you really
gonna go sit around and curate that and like go like go through all of your past links and make
sure like they're not still open and you're not you know so like uh but with apis like we can we
can automate that we can go through it uh we can even take the same idea of making you have to step up,
authenticate before you access something sensitive.
Well, you could even set expiry on the amount of time that files can stay open.
So you could share it and have that link be ephemeral for like,
after a week, nuke it.
Totally.
And I think, you know, to Google and Microsoft Credit, like
the expiry and password protection, like they've built some of those features into the file sharing.
But here's an example. I mean, let's say there's a file from two years ago in your Google Drive.
It's got sensitive data. There's really no reason anyone should like, no one's accessing it recently.
And yet, if I were to compromise an account, I would just be able to data dump this out exactly like email. But if instead, what we had done is we had said, actually,
like, we're not going to give you access to this file until you first authenticate some other way,
exactly what we do in email, then it's the same kind of same kind of threat model we can help
with. So anyway, my broader point, though, is that I think the evolution of the product has been kind of very email centric.
Like the pitch used to kind of be like email security, but not what you think, right?
Like not the email security that you think.
And now it's all around enterprise suitable, secure online cloud productivity suites.
Exactly.
Yeah.
So, and that is everything from what we call posture management, which is just like helping
you understand what the hell is even going on,
like in these environments.
Because I mean, if you are running kind of like,
let's say your standard,
like Microsoft 365 customer,
let's say 5,000 users,
just understanding like what apps do you have deployed?
What settings are they on?
Are there any legacy settings
that you should have turned off,
but like have on still?
What are users doing? Are there any legacy settings that you should have turned off but have on still? What are users doing?
What behavior?
Is there anything risky going on?
It's like, how are you going to audit this?
It's very, very hard.
And I think our big insight at the beginning of the company was like, well, we came from a data infrastructure background, like all three of the founders.
And the first thing that it was just the instinct was, okay, well, you have
APIs that can let you interrogate these platforms. So first thing, use those APIs to basically
normalize all of the data into a data warehouse. And like, that's step one.
That's the next part of this conversation, which is like, how have you done this? And what does
your infrastructure look like? Because under this model,
like if I become your customer,
all of my documents, all of my emails,
all of my everything,
it gets moved out of Google, right?
And stored in a data warehouse that you run.
Yeah, well, not all of them,
sensitive ones that we choose to redact, but yes.
But I mean, historical, right?
Like if it's the archive,
so if you choose nothing older than 30 days, that goes into a data warehouse.
That's right, that's right.
Anything that's not visible to the account
without step-up authentication
goes into that data warehouse,
which would include documents
that we've decided are sensitive.
Yeah, yeah, yeah.
So obviously that is a huge honeypot.
So the first thing is that
we don't run the data warehouse.
So we actually, every single one of our customers gets their own single tenant infrastructure uh and and and all of this app and all of the data that's stored runs out of that and they actually can get
control over it we even have a few customers that lock us out of it so we deploy the the product
we set it all up but then they rotate the keys and literally we don't have access. We can ship them updates, but they have to apply to themselves.
They station a team of ninjas at 10 meter intervals around it.
Yeah, exactly. But I think what's way more common, obviously, is like, you know,
it's single tenant infrastructure, they can audit it, they can make sure everything is,
everything inside it is kosher, but then obviously, like, we'll carry the pager and help them
in case there's any issues.
But you have to have a model like that.
So that's kind of like the security and privacy and trust model reason for doing an architecture like that.
But the other reason is that if you are syncing all content into a data warehouse, right?
Like if we build like an index of everything going on in your office suite, in everything, and I don't mean just redacted messages or files, but like all message events,
all file events, like message metadata, this all gets synced and normalized into a really fast
commodity data warehouse. And now that's just like unlocked so much because now you've basically-
Well, now you can start drawing insights
from that information, right?
That's right.
And that is stuff we've talked about before.
But I mean, there's, are you allowing third parties,
you know, do you have your own API
that third parties can use to write apps
to query that data?
Or is it more something that you're just doing yourself?
We do have APIs.
I wouldn't say that too many
third parties are using it. It's mostly customers of ours that are using the APIs to automate
different things that they would like to do with that data platform. So detection teams and whatever
will go, okay, I'm going to learn this API because there's a lot of good stuff in there.
Yeah. I mean, I'll just give you a really simple example. So if I'm an IT or security team and I want to search across the entire email or file footprint of my company, maybe I'm looking for a really bad campaign and I'm curious if anybody got it.
Maybe I've been asked by HR to look something up because I'm in IT.
I just can't do that search very easily.
It's just really, really hard in the native platforms.
Like they were kind of built for e-discovery.
So you have to like issue a query,
you wait for a few hours for some MapReduce job to complete.
That's the frustrating thing, isn't it?
About Workspace and Azure stuff
is a lot of this functionality is there.
Like you can run a report in Google
to tell you who's not using MFA,
but it's like you have to go through seven layers of like
clunky interface hell to do it.
Yeah.
And in Microsoft land,
the equivalent is like put together like seven PowerShell scripts
and like, you know, get like hard code credentials.
Burn some sage.
Yeah, I get it.
Yeah.
But the APIs are there.
And like, so you can use the APIs to sync this data and then like just show it, you know, and make it easier.
Yeah.
Yeah.
So like search, for example, if we build like a normalized data warehouse of all email content or file content, search becomes as easy as literally just a query on that normalized table.
You know, it's like it's not hard then.
And that doesn't mean you have to write like SQL yourself.
Like you're using our UI and writing a normal search query
like you would in your Gmail or whatever.
But under the hood, what we're doing is issuing a query
to this data platform.
And that's just one very simple...
Search is probably the simplest example,
but you can think of any type of batch analytics job.
So for example, if every month you wanted a summary
of new senders that you had
never seen before, and how many messages they sent you, like, let's say you need that kind of
information. Or if you wanted to understand how different parts of your company were collaborating
with each other. Or if you wanted to understand, you know, like this other customer did, like,
how are we using our storage space, like all these questions become answerable, because you've got a
data warehouse, it's almost like bringing like the like BI trend
that like every other department in a company
has known for like years
and being able to apply it
to this really, really important data set,
which is your like office data set, right?
Like all of your productivity data set.
Like why is that,
which is the thing that you're like creating and living and breathing in every day and all your employees are why is that so hard to like
interrogate or query it just that doesn't make sense yeah i mean you know over the years that
you've sponsored your business has just seemed more and more sensible you know like radically
more sensible that's good that's a good trend well i mean 100 because now you got like attackers
specifically targeting emails and you know corporate documents now are usually yeah in in
the cloud right and we're gonna we're gonna see people more and more going after uh that stuff as
opposed to windows file shares because stuff doesn't live there anymore. Yeah, I mean, even in this storm breach, right?
Like if I compromised a mailbox through,
you know, by forging an identity token,
like I could just as easily go to OneDrive
and then dump that out as well, right?
Like why start?
And then I could go to Microsoft Teams and chat
and like dump that out as well.
Like it's all God.
Adam Boileau, my co-host,
he has sustained a psychic injury
from the fact that all these attackers did was dump some inboxes like he's like they could have
done so much more with that bug like with that key mat like what are they like i swear it it
almost gave him a stroke yeah and uh i think the well it's not funny i guess but one of the most
interesting parts of this story is that the logs that would tell you that someone was like doing this were part of like the upsell
right they were part of like the e5 license no i know i know but we've been we've been at
microsoft for years about this you know it's just a wild thing that this actually came out of a
startup like like a startup has kind of reinvented
the whole access and security model
for online productivity suites.
Just seems a bit cray.
Well, I would say that that's kind of,
that is why startups exist, right?
They like kind of go question kind of like the norm
and try to like break models.
InfoSec, normally they're tackling something like smaller.
You know what I mean?
Like you're literally re-hosting, you know, everyone's cloud productivity suites.
That's pretty crazy.
Yeah.
You know, you're basically re-implementing 0365 and Google Workspace.
I don't know if I would go that far because the thing is like the clients, the services.
The access controls and the storage and the logging.
Yeah.
I would say that's a more accurate assertion.
The clients, the services, all the features, you're using them exactly the way you always did in Office 365 or G Suite.
The thing that we are, with some of our features, really tackling is the access control like why is it that like
there's just one like login step that unlocks like everything you know for like 10 years
across every app like that's crazy like actually it's funny in the early days we
like i think back then google had some marketing which it was like one login to access everything
like they were like literally
that's not good guys yeah they were literally marketing that right and we're like uh
that's maybe not what you want like even my bank right like if i log into my bank account
and whatever i do 2fa whatever i get in if i then proceed to make a transaction that like is going
to drain the whole account of like all the money in it then wired somewhere it makes me re-authenticate like it makes me like say like no you don't get to just do that just
because you got access once doesn't mean you now just get everything but that's kind of what i mean
about about like material making more and more sense as time goes on because it's just insane
really when you think about it like until you realize how insane it is that this is is the paradigm, like your business doesn't make sense. But when you sort of snap
out of that delusion, yeah, of, you know, and it is a delusion that this is an acceptable state
of affairs, as evidenced by things like the storm 0558 attack, you just think, well, how is this not
the standard way to do things? Yeah. And I think what, going back to kind of like our definition of email security conversation,
I think this is where like categories can often really hurt because they kind of frame your,
your problem. Email security. We're back to that. Yeah. Yeah. And, and it's like,
cause it's not like people aren't using solutions to help protect like their productivity suite,
like they are are but the things
that they are using are again like in the case of email so focused on the threat vector uh and not
so focused on the on the target aspect but but in general i think like there's also an opportunity
to just think about like it's funny like you if you if you log into microsoft security like uh
compliance center or whatever it's called these days. Most of it is actually about email.
It's really interesting, right?
It's about your mail flow rules and they call it Defender.
But obviously, that's not all of Microsoft 365.
That's just one app in Microsoft 365.
All of the other apps, you could argue, also have their own risks.
But they just kind of are
still living in that world where like office security used to mostly just be about email
and i think even we started there because it is this like ubiquitous app like everybody uses it
for everything uh it's always going to get more and more data inside it but i think the thing
that's really exciting for me for the next kind of phase of the company is like going beyond email and applying some of the same paradigms.
I'm with you.
I think it is the next logical step.
And it enables you to step outside of that description of like, we do email security, but not like that.
I mean, I get it.
And it totally makes sense for you to go there.
Just a quick question, though.
Are you FedRAMP?
We are working on it. The thing that's interesting about us is that because of that single tenant infrastructure
and because of the fact that you can actually own the infrastructure yourself, by no means
does that mean you're like FedRAMP done or anything like that, but it certainly makes
some of the kind of questions around it a lot easier because, you know, you can kind
of, the customer is literally deploying the app inside their own infrastructure haven't you done fedramp yet because i can just see especially in light of the storm 0558 thing
that like fed u.s federal government in particular will be all over you um yeah get that fedramp
certification yeah no like i said we're working on it i think you know just one of the question
was why not until now just busy doing other things or yeah just busy doing other things to be honest
and then also even selling into the government,
there are different agencies or different aspects to it.
Well, you need dedicated staff who sell to US FedGov
to sell to US FedGov, right?
Right.
And what I was going to say is...
It's a whole other beast.
It is a whole other beast.
It takes a lot of dedicated effort.
But what I was saying is that there are actually parts of the government
that you don't need full FedRAMP certification
to sell into.
So like there's a way to kind of dip your toes in
and like start getting going
without having to go through this like long,
endearing process.
But honestly, like when the storm stuff happened,
like I was pretty angry internally
because like, you know,
internally there was like a little bit of like a,
guys, like we have the technology technology like this would literally have helped and and why haven't we done fed ramp
yet was it that moment or it wasn't us just fed rap it was like why in general have we not like
yeah so you haven't really made that a priority yeah that's just not where we started you know
like i think um because you started more with the silicon valley set right because that's just not where we started. You know, like I think, um, cause you started more with the Silicon Valley set, right? Because that's where you came from. You came out of
Dropbox. Well, I think what happens with every startup is also what happened with us is like,
when you're inventing kind of a new approach or a new way of thinking, you get like early adopters,
uh, and they're your first set of customers. They're the ones who are willing to try that
out and they, they get it right. They see it before everyone else does. Let's just say the
government is not known for that.
Well, that's the thing.
I mean, that's the thing.
If you tried to sell this to them in,
I mean, you started running around 2017 or something. If you tried to sell this to them in like 2019 or something, forget it.
Now, I think you'd probably have some pretty good meetings.
Absolutely.
And we are having those meetings, you know?
Yeah, right.
So I think that the interest is definitely there.
I think the problem reframing is starting to resonate.
Like they understand, okay, like, yeah, we do have to think about this as like a content repository that is going to be targeted.
It's correspondence, right?
Like at the end of the day, like from like the earliest days of like, you know, espionage, like correspondence is what matters, right?
Like that's what you go after.
And this is the modern equivalent of that.
So like, why aren't we protecting it that way?
I think there is kind of, I saw, as you know,
like I didn't come from like a security background before this company.
And like one gripe I do have with the industry is like,
there is this obsession with detection and like trying to prevent.
It's such an obsession.
It's crazy.
Like it's such a mental lock.
Well, I think it's a balance, right?
And I think you've got people in both camps.
It's a pendulum thing.
I mean, come on.
I've worked with, I work with so many.
Yeah.
I work with so many different vendors
and there's other vendors who do really solid detection
of edge case stuff who might say,
ah, there's this focus
on prevention it doesn't work and there's focus on harm you know so it's a debate right like yeah
i guess i'm just like you know by the time someone is stealing a key from a data dump on like some
engineer's laptop that is like gonna let them get into every mailbox like all right like i don't
know how you detect that right like i think you have to have some plans for like, you know, exactly. You need both. You absolutely need
both. But I think like, you know, just to kind of illustrate how deep that mentality sometimes goes
is like when we would describe this feature and, you know, for the audience, I'll just summarize
it. It's like basically anything that is old, let's say older than six
months, a year, whatever you define that is in your email, that's also sensitive, we redact it.
And then we make you do kind of a step up authentication to access it again. When we
would describe this feature, people be like, Oh, I totally get it. So when you just when you detect
an attackers in the mailbox, you go like, this reaction you're like no no no no no no
and i would say like do you put a seat belt on like right before you're about to get in an accident
or do you just put it on every time you drive your car and it's like it's it's more the latter right
and so i think that yeah like people are always curious about i think it's also just intellectually
fascinating right like how did they get it like how did it happen how did that was the entry point
where should we patch and like that is that is, that's good. Obviously you have
to ask those questions, but I think like in some ways it's like not as intellectually interesting
to just be like, yeah, you get in. And then like most of the stuff is like not there. Cause like
it's actually somewhere else and that's just how it is. It's life, you know? Yeah. Yeah. Yeah. Yeah.
Yeah. It's like building. It's not as sexy. I get it. I get it. Abhishek Agrawal, great to chat to you.
Really interesting conversation.
I think, you know, I think your time is now.
I think it's a great time to have built what you've built kind of before it was cool, maybe a little bit early.
But now you're boxy.
I think this is something that, you know, a lot of people are going to need something like this. Certainly, you've paved the way for the future of how we're going to think
about this stuff. I mean, I do honestly think that. So yeah, great stuff, man. Well done.
And a fascinating conversation. Thanks a lot for joining.
Yeah. Thank you for having me. Appreciate it.
That was Abhishek Agrawal, the CEO of Material Security there. Big thanks to them for that.
And you can find them at material.security.
And that is it for this edition of The Soapbox.
I am still on break, but I'll be back with another weekly edition of the show on November 29.
But until then, I've been Patrick Gray.
Thanks for listening.