ESG's Dave Gruber discusses email security with Abhishek Agrawal of Material Security.
Watch more in this series:
Dave: Hi, everyone. Thanks for joining us again on our continuing series of email security. Today, I'm joined by Abhishek Agrawal, who is the founder and CTO of Material Security, and we're going to be talking a little bit about the continuing growing challenges associated with the email security threat landscape, and how organizations are fighting the modern adversary.
So, welcome, Abhishek.
Abhishek: Yeah, thank you so much for having me, Dave. Pleasure to be here.
Dave: So I thought we'd start with maybe having you highlight some of the lesser known ways that email's involved in modern attacks, that the average security professional might not be aware of.
Abhishek: One of the biggest changes that we've observed, at least recently, is that email has increasingly become not so much just the vector, like you said, you know, the way in which someone might be accessing an organization, but the actual prize, the thing that they're actually after. What I mean by that is, it's identity, it's harvesting contacts, it's using the archives of content that exist inside mailboxes, to carry out further attacks.
As a simple example, you know, the latest Twitter hacks, there was a lot of focus on the fact that it was an insider, and, you know, they were able to do some social engineering and convince these insiders to help them, but the way in which they achieved their objective was actually getting this insider to change an email address associated with an account, and then triggering a password reset email, to actually take control of that account.
So what you're seeing is email becomes not sort of just the way that I'm going to accomplish something else, but it's the thing I'm actually after, because it unlocks so many other things for me.
Dave: So, with most companies now depending on cloud-delivered email, how does that change things?
Abhishek: For me, the answer's actually pretty simple. It's that if you think about how email is used today inside organizations, it's not just a messaging protocol. It's not just a way we communicate to each other, it is a full-blown business app. So, if you're approaching it from a security perspective as a full-blown application inside the enterprise, with org structure inside it, with transactions happening over it, with it being an identity layer for the different apps that it's connected to, then you can't really just think about one type of attack, which is an inbound attack, and blocking.
You have to think about other ways that you're going to sort of address the other threats, right? So, a gateway makes a lot of sense. It's trying to detect inbound attacks. But there are many, many other ways to access a mailbox, and if it's the prize, like I was just talking about, then you really have to think about some of the other ways that someone might get access, and you have to think about what are they going to do if they get access to that mailbox.
What are the sort of further things that they would do? So, I think gateways are an important piece of the puzzle, but they're not going to be comprehensive.
Dave: Yeah, makes sense. Wow. And so, what about the native controls offered by the cloud email providers? In my survey results, many people are assuming that they'll satisfy some of these new email security requirements. So, question. Will they?
Abhishek: There are a couple things that native controls can help with. So, first of all, they are by definition platform-specific. Especially in the large enterprise, you actually have multi-platform environments. You might have O365 as your primary email provider, but then you make an acquisition, where the company you're acquiring is on G Suite, and now, all of a sudden, you're trying to figure out how to get the same controls on both.
It's a challenge. Another really important point here is the personal accounts of executives. I don't really care, as a security practitioner, if it's my VIP's personal account being targeted versus their domain account. As far as I'm concerned, it's still part of my risk profile if something happens to that account. So, while there might be the right adequate tools natively offered for my, you know, @acme.com account, the @gmail.com account of my exec might also be a threat that I have to worry about.
And then lastly, there's a lot of things that, you know, the Microsoft and Googles of the world still have to build into their core email security offering to even catch up with sort of the, you know, Proofpoints and the Mimecasts of the world. So, there's a timeline component of how long is it going to be before they handle these. But, you know, personally, I do believe that the native controls are going to get better, and I do believe that they're going to reduce the number of additional supplementary vendors that companies need to adopt, but it's always about timeline and how much you want to kind of get fixed to one platform.
Dave: So, let's just close with, tell me just a bit about Material Security, and how you've thought about this problem differently, and how your platform addresses these issues.
Abhishek: The thing about Material Security that is pretty interesting is that unlike a lot of email security that, you know, your viewers might be familiar with, it's not really trying to block. It's not trying to prevent inbound attacks from reaching the mailbox. It asks a different question, which is, if someone were to get access to a mailbox, what would they actually do?
For example, if you get into my mailbox, you get 10 or 15, 20 years of email history, because it's just sitting at rest in my email archive. And so, we're able to do things like leverage an existing identity platform, like an Okta or Duo, to help you actually add a layer of protection to sensitive content sitting at rest. Another thing I might do if I'm an attacker and break into a mailbox is I'll actually use that mailbox to now jump laterally to other services, because all I have to do is reset a password, and now I can access, you know, your Twitter account, or a bank account, or even, like, a Salesforce or something like that, using email, because email, for a lot of companies, and for a lot of apps, is basically the identity layer.
Another thing that we're thinking about is, with cloud email, one of the most fascinating things is you get these really rich APIs. And so, if you think about historically, email security has been almost, you know, it's almost been limited by what it can do, because of the technical infrastructure. Your really, your only way to interact with an organization's email used to be to be inline and sort of look at things on the way in, or look at things on the way out.
But with APIs on these cloud email mailboxes, you get a really rich capability to manipulate messages post-delivery, examine messages post-delivery, incorporate signals post-delivery, and a lot of what we're doing kind of takes advantage of that.
Dave: My take listening to that is inside out view, versus the outside in view, which, go for the gold. Where is the gold for what people are looking for inside the environment? So, I encourage people to take a look at what Material's doing. We'll continue with our series.
Abhishek, I appreciate your time today, and your insights. So thank you all for another episode.
