1 00:00:00,200 --> 00:00:03,050 S1: All right, Abhishek, welcome to unsupervised Learning. 2 00:00:03,050 --> 00:00:05,540 S2: Yeah, thanks for having me. Excited to be here. 3 00:00:05,870 --> 00:00:11,090 S1: Yeah. Awesome. So, uh, you are Abhishek Agarwal and co-founder 4 00:00:11,090 --> 00:00:14,360 S1: and CEO at Material Security. Is that correct? 5 00:00:14,360 --> 00:00:15,230 S2: That's right. 6 00:00:15,890 --> 00:00:20,180 S1: Awesome. Well, tell me about your background and, uh, the 7 00:00:20,180 --> 00:00:22,700 S1: product and just, uh, get us started here. 8 00:00:22,700 --> 00:00:25,940 S2: Yeah, sure. Happy to. Um, yeah. So I'm Abhishek, um, 9 00:00:25,940 --> 00:00:28,880 S2: one of the co-founders of material. Um, before this company, 10 00:00:28,880 --> 00:00:31,490 S2: I was an early PM at Dropbox, uh, where I 11 00:00:31,490 --> 00:00:35,270 S2: spent time on the data infrastructure side and the cert side, um, 12 00:00:35,270 --> 00:00:38,570 S2: when the company was fairly early. So around 250 people. 13 00:00:38,570 --> 00:00:40,669 S2: I was, uh, an early PM there, like I said. 14 00:00:40,670 --> 00:00:43,879 S2: And then before that, uh, got my start on the 15 00:00:43,880 --> 00:00:47,030 S2: Microsoft at Microsoft Research on the engineering side. So my 16 00:00:47,030 --> 00:00:49,310 S2: background before this company was actually more in like the 17 00:00:49,310 --> 00:00:53,000 S2: productivity and sort of large data sets, side and data 18 00:00:53,000 --> 00:00:56,959 S2: data infrastructure. Um, with this company obviously kind of first 19 00:00:56,960 --> 00:00:59,990 S2: foray into security, although at Dropbox, the security team would 20 00:00:59,990 --> 00:01:02,090 S2: use our data infrastructure quite a bit. So I had 21 00:01:02,090 --> 00:01:05,660 S2: some interaction with them. Um, and yeah, material. You know, 22 00:01:05,660 --> 00:01:08,059 S2: we started a while ago, we're kind of in the 23 00:01:08,060 --> 00:01:11,810 S2: email security space, uh, where we're now broadening a little 24 00:01:11,810 --> 00:01:16,160 S2: bit more to the productivity suite more broadly, more generally. But, uh, 25 00:01:16,160 --> 00:01:18,709 S2: the kind of key insight that led to the company, 26 00:01:18,709 --> 00:01:22,190 S2: which actually got started after the 2016 election cycle, where 27 00:01:22,190 --> 00:01:24,830 S2: there were a couple high profile email attacks. Uh, the 28 00:01:24,830 --> 00:01:28,400 S2: key insight was everybody's really obsessed with trying to stop 29 00:01:28,400 --> 00:01:32,030 S2: someone from getting into email. But but we had this 30 00:01:32,030 --> 00:01:33,950 S2: idea which was like, if someone does get into an 31 00:01:33,950 --> 00:01:37,040 S2: email account, there's all these downstream things that they can do. 32 00:01:37,069 --> 00:01:39,830 S2: What if we could contain that blast radius? Uh, so 33 00:01:39,830 --> 00:01:41,720 S2: that was the original insight that led to the company 34 00:01:41,720 --> 00:01:43,910 S2: and a lot of what we still do today. And 35 00:01:43,910 --> 00:01:45,710 S2: then we also do a kind of more of the 36 00:01:45,709 --> 00:01:48,680 S2: traditional email security of trying to, you know, stop attacks 37 00:01:48,680 --> 00:01:53,060 S2: that that are still bypassing, um, uh, sort of gateways and, 38 00:01:53,060 --> 00:01:53,930 S2: and the like. 39 00:01:55,420 --> 00:01:59,470 S1: Yeah. Interesting. The the front page says, uh, secure email 40 00:01:59,470 --> 00:02:02,920 S1: from every angle, which is pretty interesting. I thought that 41 00:02:02,920 --> 00:02:05,200 S1: was that was a good tagline. 42 00:02:05,200 --> 00:02:05,770 S3: Thank you. 43 00:02:06,400 --> 00:02:09,609 S1: Yeah. So I looked at your background as well. So 44 00:02:09,730 --> 00:02:12,520 S1: I'm surprised we haven't run into each other more. Uh, 45 00:02:12,520 --> 00:02:14,649 S1: you're also in the Bay area as well? 46 00:02:14,650 --> 00:02:17,620 S2: I am, yeah. So I moved out here for Dropbox 47 00:02:17,620 --> 00:02:20,020 S2: and then, uh, has been kind of bouncing around the 48 00:02:20,020 --> 00:02:23,950 S2: Bay area, uh, for the last decade now, so. Yeah. 49 00:02:24,430 --> 00:02:27,100 S1: Nice. Yeah. We should get coffee at some point. Let's 50 00:02:27,100 --> 00:02:29,440 S1: do it for sure. I'm just in Newark, so. 51 00:02:29,440 --> 00:02:31,930 S2: Oh. No way. Okay, I'm really close to you. I'm 52 00:02:31,930 --> 00:02:34,930 S2: in Walnut Creek, so, uh. Oh. Nice. Not not not 53 00:02:34,930 --> 00:02:37,059 S2: just in the Bay area, but nearby. Yeah. 54 00:02:37,600 --> 00:02:43,239 S1: Awesome. Yeah. So, uh, why do product managers make such 55 00:02:43,240 --> 00:02:48,160 S1: good CEOs and co-founders? Because I know you started in engineering, 56 00:02:48,430 --> 00:02:51,490 S1: but you did a decent amount of time as a 57 00:02:51,490 --> 00:02:55,239 S1: product manager. Yeah. What do you think they're so good at? Like, 58 00:02:55,240 --> 00:02:58,000 S1: starting and building and pushing products. 59 00:02:59,320 --> 00:03:02,930 S2: Yeah. It's a great question. Um. First of all. I mean, 60 00:03:02,930 --> 00:03:05,269 S2: I think that like, you know, I'm a big believer 61 00:03:05,270 --> 00:03:07,760 S2: there's like multiple paths to God. So like, you know, 62 00:03:08,090 --> 00:03:10,130 S2: there is no kind of one template, like a lot 63 00:03:10,130 --> 00:03:13,820 S2: of different profiles, uh, folks, uh, can start companies and 64 00:03:13,820 --> 00:03:16,760 S2: make great, uh, founders or CEOs. I think the reason 65 00:03:16,760 --> 00:03:21,350 S2: you see product managers kind of maybe overrepresented there is 66 00:03:21,350 --> 00:03:25,190 S2: that by definition, product management is kind of a, um, 67 00:03:25,190 --> 00:03:30,020 S2: generalist function. You know, like you're at this intersection of engineering, uh, 68 00:03:30,020 --> 00:03:33,380 S2: design business. Uh, that's kind of your job as a 69 00:03:33,380 --> 00:03:35,990 S2: product manager. And so if you take that kind of 70 00:03:35,990 --> 00:03:38,030 S2: elevate that, like, that's kind of what you're doing as 71 00:03:38,030 --> 00:03:40,460 S2: a founder, you know, you're like thinking about what to build. 72 00:03:40,460 --> 00:03:41,930 S2: You're thinking about how you're going to sell it, take 73 00:03:41,930 --> 00:03:45,050 S2: it to market. You're thinking about, um, how it's going 74 00:03:45,050 --> 00:03:47,360 S2: to work, but also how you're going to message it. 75 00:03:47,360 --> 00:03:50,360 S2: And so a lot of these kind of activities are 76 00:03:50,360 --> 00:03:54,320 S2: what PMS are doing inside companies for their products. You're 77 00:03:54,320 --> 00:03:56,090 S2: kind of doing that for your whole company as a 78 00:03:56,090 --> 00:03:59,330 S2: founder when you're when you're, uh, CEO or founder. So 79 00:03:59,330 --> 00:04:02,060 S2: I think that's maybe why PMS are attracted to it. Um, 80 00:04:02,060 --> 00:04:05,060 S2: in my case personally, you know, I just kind of 81 00:04:05,060 --> 00:04:07,190 S2: when I was an engineer, I would really be kind 82 00:04:07,190 --> 00:04:09,530 S2: of missing having an input into what the product should 83 00:04:09,530 --> 00:04:11,690 S2: be and how it should work and who the customer 84 00:04:11,690 --> 00:04:13,730 S2: should be. Then when I became a PM, I was 85 00:04:13,730 --> 00:04:16,370 S2: really missing, like writing code. So I was kind of like, 86 00:04:16,370 --> 00:04:19,070 S2: never really happy in one role or the other. Uh, 87 00:04:19,070 --> 00:04:22,130 S2: and that also makes for a great trait for founders 88 00:04:22,130 --> 00:04:24,350 S2: that are just kind of not satisfied with being in 89 00:04:24,350 --> 00:04:27,619 S2: any one specific role. They just kind of want to like, uh, 90 00:04:27,620 --> 00:04:29,719 S2: be a little bit of jack of all trades. Uh, 91 00:04:29,720 --> 00:04:32,750 S2: so yeah, I think that's why. But I'm not sure. 92 00:04:33,110 --> 00:04:36,470 S1: Yeah, I think that sounds right. I mean, I actually 93 00:04:36,470 --> 00:04:39,860 S1: think with all this AI stuff happening, a lot of 94 00:04:39,860 --> 00:04:42,169 S1: product managers are going to be like, you know what, 95 00:04:42,170 --> 00:04:43,940 S1: screw this. And they're just going to break off and 96 00:04:43,940 --> 00:04:46,729 S1: like build their own companies. Yeah. And have a little 97 00:04:46,730 --> 00:04:48,830 S1: bit of dev support. But even be able to do 98 00:04:48,830 --> 00:04:53,390 S1: like MVP's themselves if they're technical. Yeah. And then be 99 00:04:53,390 --> 00:04:55,460 S1: able to do a lot of the marketing themselves, a 100 00:04:55,460 --> 00:04:58,469 S1: lot of the user stories and like. It's like a 101 00:04:58,470 --> 00:05:01,320 S1: one person company, essentially. 102 00:05:01,770 --> 00:05:03,840 S2: Yeah, I think that's actually one of the most exciting 103 00:05:03,839 --> 00:05:06,630 S2: things about all of this stuff. And I know several 104 00:05:06,630 --> 00:05:09,960 S2: folks have kind of written about this, but the whole like, 105 00:05:09,960 --> 00:05:12,719 S2: when will we see the first, like, you know, billion 106 00:05:12,720 --> 00:05:15,390 S2: dollar company that's just got one employee? That's a very, 107 00:05:15,390 --> 00:05:19,380 S2: very intriguing idea. And I think that is you're totally right. Um, 108 00:05:19,380 --> 00:05:21,989 S2: that and again, I don't think it has to be 109 00:05:21,990 --> 00:05:25,260 S2: just product managers like anyone that can kind of like 110 00:05:25,410 --> 00:05:28,469 S2: complement whatever skill set they have with, with a lot 111 00:05:28,470 --> 00:05:30,630 S2: of that other stuff is going to be in a 112 00:05:30,630 --> 00:05:34,349 S2: position to really get pretty far with, without, maybe not 113 00:05:34,380 --> 00:05:37,650 S2: with literally just one person, but with a pretty small team. Um. 114 00:05:38,130 --> 00:05:40,260 S1: Yeah. And I think it goes back to what you said, 115 00:05:40,260 --> 00:05:44,250 S1: which is, uh, being able to link these different things. 116 00:05:44,400 --> 00:05:48,240 S1: It's like it's almost like the opposite of Google. And 117 00:05:48,240 --> 00:05:50,039 S1: I know some people at Google, so I don't want 118 00:05:50,040 --> 00:05:53,430 S1: to be too mean here. But like Google in general 119 00:05:53,430 --> 00:05:58,820 S1: is almost like engineering focused. Where as opposed to product 120 00:05:58,820 --> 00:06:02,750 S1: or problem focused. Hmm. Yeah. And so they they have 121 00:06:02,750 --> 00:06:04,970 S1: all this tech that they build, they come out with 122 00:06:04,970 --> 00:06:08,089 S1: the attention is all you need paper. Yeah, yeah. And 123 00:06:08,089 --> 00:06:11,210 S1: people just throw random things at the wall. And there's 124 00:06:11,210 --> 00:06:15,680 S1: not a product management led thing of like, problem solution, 125 00:06:15,680 --> 00:06:19,430 S1: really good marketing that makes it clear and then make 126 00:06:19,430 --> 00:06:22,670 S1: and then also product management making it easy to use. 127 00:06:22,670 --> 00:06:23,450 S2: Totally. 128 00:06:23,450 --> 00:06:26,990 S1: It's like so hard to use like Google stuff like, um, 129 00:06:26,990 --> 00:06:31,279 S1: Google Eye Studio compared to Claude or one of these 130 00:06:31,279 --> 00:06:33,980 S1: other products. It's like impenetrable. 131 00:06:33,980 --> 00:06:37,580 S2: Yeah. Um, no, I agree, I, you know, my favorite 132 00:06:37,580 --> 00:06:39,890 S2: kind of recent example of this is that they, they 133 00:06:39,890 --> 00:06:44,360 S2: launched a thing recently for Google Drive in the workspace setting, 134 00:06:44,360 --> 00:06:48,080 S2: where they will use an LLM to auto classify sensitive 135 00:06:48,080 --> 00:06:51,320 S2: content in your drive, which is pretty cool. Uh, to 136 00:06:51,320 --> 00:06:54,890 S2: like auto label it. Um, but but the way you 137 00:06:54,890 --> 00:06:56,420 S2: have to set it up is like, you literally have 138 00:06:56,420 --> 00:06:59,360 S2: to go as a workspace admin and like basically train 139 00:06:59,360 --> 00:07:02,720 S2: a model yourself. And I was like, oh my God. Like, 140 00:07:02,720 --> 00:07:05,570 S2: you know, like most of these security folks or IT 141 00:07:05,570 --> 00:07:07,580 S2: admins be talked to like they're they're not going to 142 00:07:07,580 --> 00:07:10,160 S2: have time to go do that and like back test 143 00:07:10,160 --> 00:07:12,830 S2: it and make sure the precision and stuff is good. Like, 144 00:07:12,830 --> 00:07:15,260 S2: you know, you would expect that to be more kind 145 00:07:15,260 --> 00:07:19,640 S2: of one, one, one click. But yeah, I think um, 146 00:07:19,760 --> 00:07:21,530 S2: I think the other thing is that we talk a 147 00:07:21,530 --> 00:07:25,790 S2: lot about product management in the Valley. But for me personally, 148 00:07:25,790 --> 00:07:29,540 S2: and I've talked about this before, uh, on another podcast, like, 149 00:07:29,540 --> 00:07:33,230 S2: especially as a founder early on, I think learning about 150 00:07:33,230 --> 00:07:37,220 S2: product marketing is very, very important because, yes, because half 151 00:07:37,220 --> 00:07:39,080 S2: of what you were just saying is, um, it is 152 00:07:39,080 --> 00:07:41,780 S2: part of a product managers kind of responsibility, but it's 153 00:07:41,900 --> 00:07:45,230 S2: honestly it's product marketing. It's like, well, like, what is 154 00:07:45,230 --> 00:07:47,450 S2: this going to thing going to be like, what features 155 00:07:47,450 --> 00:07:49,640 S2: is it going to have? Uh, how are they going 156 00:07:49,640 --> 00:07:51,920 S2: to compare to alternatives like how are we even going 157 00:07:51,920 --> 00:07:54,290 S2: to describe them? Like, you know, are they going to 158 00:07:54,290 --> 00:07:57,080 S2: be bundled this way or that way? These are critical 159 00:07:57,080 --> 00:07:59,720 S2: decisions you're making at the beginning of a company, or 160 00:07:59,720 --> 00:08:03,680 S2: even if inside a inside a large org that have 161 00:08:03,680 --> 00:08:06,530 S2: such a big impact. And I think people often are 162 00:08:06,530 --> 00:08:08,990 S2: thinking about them as an afterthought. I know I certainly 163 00:08:08,990 --> 00:08:11,090 S2: was guilty of this, like when I was dropped at 164 00:08:11,090 --> 00:08:13,940 S2: a Dropbox. Like product marketing would often be like, you've 165 00:08:13,940 --> 00:08:15,710 S2: built the whole product, and now someone needs to write 166 00:08:15,710 --> 00:08:18,620 S2: the launch blog post, and that's where product marketing comes in. 167 00:08:18,620 --> 00:08:21,110 S2: But honestly, like, I think the right way to do 168 00:08:21,110 --> 00:08:24,800 S2: it is invest in product marketing way earlier. Like make 169 00:08:24,800 --> 00:08:28,340 S2: your website landing page first and figure out force yourself 170 00:08:28,340 --> 00:08:30,410 S2: to understand how you're going to describe it, you know, 171 00:08:30,410 --> 00:08:32,059 S2: before writing a line of code. 172 00:08:32,679 --> 00:08:36,130 S1: I think you're exactly right. I think this is the 173 00:08:36,130 --> 00:08:41,790 S1: whole thing is like. Have the story, the problem be 174 00:08:41,790 --> 00:08:44,670 S1: like in the very front. The problem is everything. Yeah. 175 00:08:44,670 --> 00:08:46,980 S1: Then you have the story and the wrapper around it. 176 00:08:46,980 --> 00:08:49,620 S1: Then you have your landing page, and then it's kind 177 00:08:49,620 --> 00:08:52,080 S1: of like the Amazon flow, which I used a lot 178 00:08:52,080 --> 00:08:56,790 S1: at Apple as well. You you ship the PR, you 179 00:08:56,790 --> 00:08:59,309 S1: release the PR and it's like, here's what the website 180 00:08:59,309 --> 00:09:02,190 S1: looks like. Here's what the marketing looks like. How excited 181 00:09:02,190 --> 00:09:04,380 S1: are we about this? Yes. And if you pass this 182 00:09:04,380 --> 00:09:09,030 S1: around the table for this senior meeting and people aren't excited. Yeah. 183 00:09:09,030 --> 00:09:10,020 S1: What are you doing? 184 00:09:10,020 --> 00:09:11,550 S2: What is it all for? Yeah. What's the point? 185 00:09:11,550 --> 00:09:13,170 S1: Yeah, yeah, yeah. And if you are no. 186 00:09:13,170 --> 00:09:17,370 S2: Worse feeling than being in like, a company where you've 187 00:09:17,370 --> 00:09:20,729 S2: built the product, you've invested all this time engineering, and 188 00:09:20,730 --> 00:09:23,490 S2: then you're realizing that there's no worse feeling than that 189 00:09:23,490 --> 00:09:25,830 S2: because you're just like, oh God, what have we just do, 190 00:09:25,860 --> 00:09:27,930 S2: you know? So yeah, the more you can do it 191 00:09:27,929 --> 00:09:29,069 S2: up front, the better. 192 00:09:29,070 --> 00:09:34,220 S1: Yeah, definitely. So. So what do you, uh. There yourself 193 00:09:34,220 --> 00:09:37,850 S1: or the company in general believe about email security that 194 00:09:37,850 --> 00:09:38,960 S1: other people don't? 195 00:09:39,470 --> 00:09:42,920 S2: Yeah. Um, this is something that, you know, we have 196 00:09:42,920 --> 00:09:46,250 S2: been kind of saying from the hilltops for a while, but. 197 00:09:46,950 --> 00:09:51,540 S2: The fundamental idea that led to this company was email 198 00:09:51,540 --> 00:09:54,690 S2: is seen in the security context as a really, really 199 00:09:54,690 --> 00:09:57,780 S2: good way to deliver an attack to you, right? Like, 200 00:09:57,780 --> 00:10:01,559 S2: you know, we are all familiar with sort of malware and, uh, 201 00:10:01,559 --> 00:10:05,490 S2: phishing and like BCC and and that's true. Like it 202 00:10:05,490 --> 00:10:08,040 S2: is an open protocol. Anybody on the internet can send 203 00:10:08,040 --> 00:10:10,290 S2: anybody else an email. That's part of what makes it great. 204 00:10:10,290 --> 00:10:13,470 S2: But in a security context, that's what makes it really terrible. 205 00:10:13,470 --> 00:10:16,530 S2: And there's been just years and years and years of 206 00:10:16,530 --> 00:10:19,770 S2: focus on email as a way to deliver an attack. 207 00:10:19,800 --> 00:10:22,860 S2: What's happened, though, at the same time, especially over the 208 00:10:22,860 --> 00:10:27,030 S2: last decade, is we all got like cloud email. And 209 00:10:27,030 --> 00:10:29,910 S2: that meant that we basically got infinite storage and we 210 00:10:29,910 --> 00:10:33,390 S2: started hoarding all of our email. And that means that 211 00:10:33,390 --> 00:10:37,109 S2: it becomes this, like representation of your entire life. Uh, 212 00:10:37,110 --> 00:10:40,680 S2: on the personal front, it's like literally like everything in 213 00:10:40,679 --> 00:10:43,200 S2: your life, like whether it's like your finances, taxes, your 214 00:10:43,200 --> 00:10:46,230 S2: kids stuff, your house mortgage, it ends up in your email, 215 00:10:46,230 --> 00:10:48,750 S2: in the corporate setting, obviously, it's like all of the 216 00:10:48,750 --> 00:10:52,709 S2: company's IP, like the system of record. Right. And so 217 00:10:52,710 --> 00:10:54,690 S2: what that does is it makes it a really big 218 00:10:54,690 --> 00:10:57,420 S2: target as well. So it's not just the delivery method 219 00:10:57,420 --> 00:11:00,240 S2: of a bad attack. It's actually the thing that someone 220 00:11:00,240 --> 00:11:02,730 S2: wants to steal now because it has all this content 221 00:11:02,730 --> 00:11:05,460 S2: inside it. Interesting. The thing that we believe about email 222 00:11:05,460 --> 00:11:08,190 S2: security that no one else does is that blocking phishing 223 00:11:08,190 --> 00:11:10,920 S2: and stuff is important. Uh, it really is, because it's 224 00:11:10,920 --> 00:11:13,980 S2: still a really great entry point. But you also have 225 00:11:13,980 --> 00:11:16,770 S2: to think about email as a content repository that needs 226 00:11:16,770 --> 00:11:19,920 S2: to be secured, the same way that security has been 227 00:11:19,920 --> 00:11:23,880 S2: securing other content repositories for a long time. Uh, so 228 00:11:23,880 --> 00:11:26,340 S2: a lot of what we do at material tries to 229 00:11:26,340 --> 00:11:29,760 S2: block inbound emails that are bad, but it also tries 230 00:11:29,760 --> 00:11:33,300 S2: to go, you know, have a plan. If someone does 231 00:11:33,300 --> 00:11:35,970 S2: get into a mail account and, you know, today, like 232 00:11:35,970 --> 00:11:37,830 S2: they would be able to steal all the content inside 233 00:11:37,830 --> 00:11:39,540 S2: it or they would be able to go like reset 234 00:11:39,540 --> 00:11:42,690 S2: my Dropbox password and take over Dropbox. We try to 235 00:11:42,690 --> 00:11:45,390 S2: mitigate those things and limit the blast radius of a 236 00:11:45,390 --> 00:11:47,700 S2: bad of a, of a of a breach. Basically, if 237 00:11:47,700 --> 00:11:50,070 S2: someone does get into an account, how can we stop 238 00:11:50,070 --> 00:11:52,020 S2: them from not doing as much harm as they would 239 00:11:52,020 --> 00:11:55,590 S2: normally have done? That's a thing where complementing traditional email 240 00:11:55,590 --> 00:11:56,520 S2: security with. 241 00:11:56,970 --> 00:12:00,480 S1: No, that's interesting. And what are the detection mechanisms for that? 242 00:12:00,480 --> 00:12:05,760 S1: So let's say someone has a credential. Yeah. Um like what? 243 00:12:06,000 --> 00:12:08,579 S1: How are you detecting if you move around, you do 244 00:12:08,580 --> 00:12:10,320 S1: something dangerous inside the account. 245 00:12:10,320 --> 00:12:12,930 S2: Yeah. So the first thing I'd say is, like, it 246 00:12:12,929 --> 00:12:15,600 S2: actually doesn't have to be about detection at all. So 247 00:12:15,600 --> 00:12:17,850 S2: let me give you an example. So let's say like 248 00:12:17,850 --> 00:12:20,250 S2: we take a, the uh, the analogy of a car. 249 00:12:20,250 --> 00:12:23,699 S2: So a seatbelt is something you just put on when 250 00:12:23,700 --> 00:12:26,520 S2: you drive a car. It doesn't like detect the accident 251 00:12:26,520 --> 00:12:29,190 S2: and like go into like motion right before the accident 252 00:12:29,190 --> 00:12:30,990 S2: is going to happen. Like it's just there. It does 253 00:12:30,990 --> 00:12:35,370 S2: its job. Yeah. Um, so similarly, you know, we're not 254 00:12:35,370 --> 00:12:38,070 S2: necessarily detecting the presence of an attacker and then trying 255 00:12:38,070 --> 00:12:40,620 S2: to respond. We're just saying there are certain controls you 256 00:12:40,620 --> 00:12:43,859 S2: should just have all the time. So for example, um, 257 00:12:43,860 --> 00:12:47,280 S2: if you, uh, one of our products is called, uh, 258 00:12:47,280 --> 00:12:49,410 S2: data protection for email. And what it does is it 259 00:12:49,410 --> 00:12:53,579 S2: goes through your archive and via APIs, it looks for 260 00:12:53,580 --> 00:12:56,040 S2: anything that it thinks is really sensitive, like really juicy 261 00:12:56,040 --> 00:12:59,550 S2: stuff that's in your archives. And if it's like older 262 00:12:59,550 --> 00:13:01,800 S2: than some specified period of time, let's say a year 263 00:13:01,800 --> 00:13:05,130 S2: or six months, it it can actually redact it inside 264 00:13:05,130 --> 00:13:09,060 S2: your mailbox and make you do a side channel challenge, 265 00:13:09,059 --> 00:13:11,400 S2: like an MFA or a, you know, touch ID or 266 00:13:11,400 --> 00:13:14,130 S2: an octopus or whatever before you can get it back 267 00:13:14,130 --> 00:13:17,700 S2: in your mailbox. And, um, that's like a simple control 268 00:13:17,700 --> 00:13:20,640 S2: that is not it's not going into place when we 269 00:13:20,640 --> 00:13:24,600 S2: detect an attacker. It's just there all the time. Because, 270 00:13:24,600 --> 00:13:27,390 S2: you know, in the same way that, uh, for other 271 00:13:27,390 --> 00:13:29,250 S2: content repos, you wouldn't want it to be the case 272 00:13:29,250 --> 00:13:31,740 S2: that if I get in once, I just get everything. 273 00:13:31,740 --> 00:13:33,780 S2: You would want to have additional checks. We're just trying 274 00:13:33,780 --> 00:13:36,209 S2: to do that for email as well. Now, what's cool 275 00:13:36,210 --> 00:13:40,110 S2: about that, though, is that it opens up detection capabilities, 276 00:13:40,110 --> 00:13:42,750 S2: because now let's say someone was in my account and 277 00:13:42,750 --> 00:13:45,120 S2: they're going to try to like retrieve these messages that 278 00:13:45,120 --> 00:13:48,179 S2: have been redacted. Well, yeah. If they like try and 279 00:13:48,179 --> 00:13:51,120 S2: they keep failing requests. Now it acts as a canary 280 00:13:51,120 --> 00:13:53,250 S2: and it tells us, okay, there might be someone in 281 00:13:53,250 --> 00:13:57,030 S2: this mailbox, um, which is actually, you know, funny story. Like, 282 00:13:57,030 --> 00:14:00,240 S2: recently there was this big attack, uh, by the Chinese 283 00:14:00,240 --> 00:14:03,329 S2: called storm. Uh, uh, it was a storm eight breach. 284 00:14:03,330 --> 00:14:06,870 S2: It's a group that attacked the Department of Justice and 285 00:14:06,870 --> 00:14:10,349 S2: a State Department and a couple other, uh, federal agencies, 286 00:14:10,350 --> 00:14:13,950 S2: and they basically were after email correspondence. That's why they 287 00:14:13,950 --> 00:14:17,219 S2: did it. They went after the content of these mailboxes. 288 00:14:17,309 --> 00:14:20,790 S2: And one of the agencies that actually discovered this attack 289 00:14:20,820 --> 00:14:23,130 S2: the way they did that is because they were looking 290 00:14:23,130 --> 00:14:26,490 S2: at a log of every time an email message inside 291 00:14:26,490 --> 00:14:30,120 S2: a mailbox is accessed. It's a very verbose log. Um, 292 00:14:30,120 --> 00:14:33,120 S2: most people don't use it or don't, uh, operationalize it, 293 00:14:33,120 --> 00:14:36,060 S2: but they were. And it's how they figured out, oh, man. 294 00:14:36,060 --> 00:14:38,460 S2: Like someone is reading all these emails from like, three 295 00:14:38,460 --> 00:14:40,800 S2: years ago, and they're doing it at a very high 296 00:14:40,800 --> 00:14:43,470 S2: volume versus what the normal usage of the mailbox is. 297 00:14:43,470 --> 00:14:46,170 S2: So you do want canaries that can tell you about. 298 00:14:46,370 --> 00:14:49,490 S2: The attacker. But more importantly, you want to just like 299 00:14:49,490 --> 00:14:51,200 S2: limit what the attacker can do in the first place 300 00:14:51,200 --> 00:14:53,090 S2: because it's not just all about detection. 301 00:14:53,300 --> 00:14:56,000 S1: Yeah, I love that because that that kind of takes 302 00:14:56,000 --> 00:15:00,020 S1: the realm away from like an email security. Yeah. Vibe, 303 00:15:00,020 --> 00:15:02,600 S1: which is very, I don't know, 20 years ago or 304 00:15:02,600 --> 00:15:05,510 S1: whatever and moves it into more of like a data 305 00:15:05,510 --> 00:15:07,550 S1: security or like an app security. 306 00:15:07,550 --> 00:15:10,640 S2: That's right. That's exactly right. And, and, um, this is 307 00:15:10,640 --> 00:15:14,030 S2: one of those situations where like, like the terminology is 308 00:15:14,030 --> 00:15:17,720 S2: actually hurting us as an industry because it's like, okay, 309 00:15:17,720 --> 00:15:20,510 S2: so email security means what you just said, right? For 310 00:15:20,510 --> 00:15:22,700 S2: 20 years it's blocked bad emails. 311 00:15:22,700 --> 00:15:25,670 S1: Yeah. SMTP related settings, whatever. Yeah. 312 00:15:25,670 --> 00:15:28,310 S2: Or like I'm going to send you like the, you know, like, uh, 313 00:15:28,310 --> 00:15:32,300 S2: sasser werm over email like 20 years ago, but like, uh, 314 00:15:32,300 --> 00:15:37,760 S2: or more than 20 years ago. Man, it's been a while. Um, yeah. But, uh, 315 00:15:37,760 --> 00:15:40,370 S2: but I think then what do you call the thing 316 00:15:40,370 --> 00:15:43,310 S2: that tries to go protect the sensitive content in your email? 317 00:15:43,310 --> 00:15:46,580 S2: I mean, technically, it's security for your email messages. So 318 00:15:46,580 --> 00:15:49,100 S2: is it email security? I mean, maybe, but like, yeah, 319 00:15:49,100 --> 00:15:52,280 S2: to your point, it's more like data security or app security. Um, 320 00:15:52,280 --> 00:15:55,700 S2: you know, it gets even more like, uh, tricky, like. So, 321 00:15:55,700 --> 00:15:57,680 S2: for example, I mentioned that I was at Dropbox before 322 00:15:57,680 --> 00:16:00,020 S2: this company. One of the biggest ways we would see 323 00:16:00,050 --> 00:16:03,500 S2: Dropbox accounts get hacked is an email account would get hacked, 324 00:16:03,500 --> 00:16:06,590 S2: and then the adversary would just reset a password to 325 00:16:06,590 --> 00:16:09,859 S2: Dropbox because, um, back then and I think this is 326 00:16:09,860 --> 00:16:12,140 S2: still the case, like, even if you had MFA on 327 00:16:12,140 --> 00:16:15,890 S2: your Dropbox account, if you requested a password reset email, 328 00:16:15,890 --> 00:16:18,830 S2: Dropbox would let you reset the password without triggering MFA 329 00:16:18,830 --> 00:16:21,440 S2: because it assumed that if you had lost your first factor, 330 00:16:21,440 --> 00:16:24,050 S2: you would have also lost your second factor. Um, but 331 00:16:24,050 --> 00:16:25,820 S2: that means, like if I get access to an email 332 00:16:25,820 --> 00:16:28,040 S2: account now, all of a sudden every service that is 333 00:16:28,040 --> 00:16:31,070 S2: connected to that email account, I can just move it to, um, 334 00:16:31,070 --> 00:16:34,190 S2: this happened, you know, with like, uh, McDonald's. They had 335 00:16:34,190 --> 00:16:37,100 S2: their Twitter account taken over because someone broke into, like 336 00:16:37,100 --> 00:16:40,250 S2: a marketing person's email account and then reset the Twitter 337 00:16:40,250 --> 00:16:43,070 S2: password and they could just post anything they wanted as McDonald's. 338 00:16:43,070 --> 00:16:46,160 S2: So you kind of see this thing where, like, email 339 00:16:46,160 --> 00:16:50,120 S2: is really more than just a bad way to deliver something, uh, or, sorry, 340 00:16:50,120 --> 00:16:52,820 S2: a way to deliver something bad. It is like all 341 00:16:52,820 --> 00:16:55,520 S2: of these other things open up from an email account 342 00:16:55,520 --> 00:16:58,190 S2: if you, if you, um, if you get it access once. 343 00:16:59,060 --> 00:17:02,090 S1: Yeah. I love this idea. It's it's almost like you 344 00:17:02,090 --> 00:17:04,760 S1: can make a total list of all the bad things 345 00:17:04,760 --> 00:17:07,820 S1: that can happen around email. Yeah. And then not even 346 00:17:07,820 --> 00:17:10,250 S1: think about email security. Not even think about any type 347 00:17:10,250 --> 00:17:13,609 S1: of security. Just make a list of, like, abuse cases. Yeah, yeah. 348 00:17:13,609 --> 00:17:16,790 S1: And then be like, okay, so where are the different 349 00:17:16,790 --> 00:17:19,040 S1: layers of control that we could put on this. Is 350 00:17:19,040 --> 00:17:21,889 S1: this a. And then you could assign the labels afterwards 351 00:17:21,890 --> 00:17:24,050 S1: and be like this is kind of a data security thing. 352 00:17:24,050 --> 00:17:27,500 S1: We kind of think of this as appsec or whatever. Yeah. 353 00:17:27,800 --> 00:17:30,530 S1: And then just be like, look there's like 13 of 354 00:17:30,530 --> 00:17:33,380 S1: these and they're really important. I mean, what are some 355 00:17:33,380 --> 00:17:35,000 S1: of the other ones that are kind of like a 356 00:17:35,000 --> 00:17:38,600 S1: more traditional appsec type control that, that you. 357 00:17:39,170 --> 00:17:42,949 S2: Um, I think there's so, you know, there's going after data, uh, 358 00:17:42,950 --> 00:17:46,100 S2: then there's using lateral movement, uh, like I said, with 359 00:17:46,100 --> 00:17:47,960 S2: the password reset type of stuff. So trying to figure 360 00:17:47,960 --> 00:17:50,000 S2: out where else I can get from this. So is 361 00:17:50,000 --> 00:17:53,660 S2: a vector for further attack. Um, the other kind of 362 00:17:53,660 --> 00:17:56,270 S2: thing that is very common is if I'm in control 363 00:17:56,270 --> 00:17:59,659 S2: of a mailbox now, I can send email from it, obviously, 364 00:17:59,660 --> 00:18:02,570 S2: and like impersonate the person who I've just taken over. 365 00:18:02,570 --> 00:18:05,659 S2: So this is one of the most common ways that like, uh, 366 00:18:05,660 --> 00:18:09,169 S2: business email compromise happens where, uh, let's say you're a 367 00:18:09,170 --> 00:18:11,810 S2: big company, you have a vendor that sends you invoices 368 00:18:11,810 --> 00:18:15,530 S2: every month. Someone takes over the vendor's account, uh, sends 369 00:18:15,530 --> 00:18:17,780 S2: an email from the vendor that's like, hey, we need 370 00:18:17,780 --> 00:18:20,660 S2: to change the payment terms of our invoice. And you're like, okay, cool. 371 00:18:20,660 --> 00:18:22,879 S2: It's coming from the valid email. And now all of 372 00:18:22,880 --> 00:18:25,639 S2: a sudden, you've wired money to the wrong place, right? So, uh, 373 00:18:25,640 --> 00:18:29,510 S2: that's another abuse case of taking over a mailbox. Um, 374 00:18:29,600 --> 00:18:33,470 S2: and but but honestly, there aren't that many. And this 375 00:18:33,470 --> 00:18:36,379 S2: is kind of like, I, I like your point of, like, 376 00:18:36,380 --> 00:18:38,750 S2: making that list. Uh, when we started this company, me 377 00:18:38,750 --> 00:18:42,110 S2: and my, one of my co-founders. Big. We're big into analogies. 378 00:18:42,109 --> 00:18:44,360 S2: So I'll give you another analogy, right? Like, okay, if 379 00:18:44,359 --> 00:18:47,210 S2: you're thinking about, like, protecting your house and you have 380 00:18:47,210 --> 00:18:49,550 S2: to make a list of every single way I could 381 00:18:49,550 --> 00:18:52,040 S2: break into your house, like, how do I get in? Yep. 382 00:18:52,040 --> 00:18:54,560 S2: And so that's one list. And now you make another 383 00:18:54,560 --> 00:18:56,930 S2: list of, like, every single thing. I would actually want 384 00:18:56,930 --> 00:18:59,660 S2: a value in your house that you really care about. Yes. 385 00:18:59,660 --> 00:19:02,359 S2: Like which list is shorter? I would argue that second 386 00:19:02,359 --> 00:19:04,580 S2: list is way shorter, right? It's like okay, like there's 387 00:19:04,580 --> 00:19:08,359 S2: a few things that like are your crown jewels, uh, 388 00:19:08,359 --> 00:19:11,360 S2: and you want to protect. So if you take that 389 00:19:11,359 --> 00:19:14,780 S2: same idea to email security, if you think about every 390 00:19:14,780 --> 00:19:18,050 S2: single way an email account can be compromised, it is 391 00:19:18,050 --> 00:19:19,969 S2: like a long list, like I can I can do 392 00:19:19,970 --> 00:19:23,270 S2: a malicious OAuth application, I can bypass MFA. Maybe I 393 00:19:23,270 --> 00:19:25,790 S2: get a malicious browser extension, I might steal a personal 394 00:19:25,790 --> 00:19:29,240 S2: device like client side malware list goes on. And I mean, 395 00:19:29,240 --> 00:19:32,570 S2: in the case of like some of these state actor attacks, 396 00:19:32,570 --> 00:19:36,020 S2: it's like literally zero days or, you know, a forged 397 00:19:36,020 --> 00:19:38,960 S2: token at the Microsoft level. There's like just a long, 398 00:19:38,960 --> 00:19:41,570 S2: long list. But then what do I actually want? Once 399 00:19:41,570 --> 00:19:43,310 S2: I get into an email account, it's like 2 or 400 00:19:43,310 --> 00:19:45,290 S2: 3 things like, you know, I want the data that's 401 00:19:45,290 --> 00:19:48,050 S2: inside the. Mailbox already. I want to move laterally to 402 00:19:48,050 --> 00:19:51,560 S2: some other services. I want to send outbound email to 403 00:19:51,560 --> 00:19:54,800 S2: a specific people. So it's just a much, much shorter list. 404 00:19:54,800 --> 00:19:57,229 S2: And to your point, you can kind of iterate through 405 00:19:57,230 --> 00:19:59,450 S2: each of those abuse cases and say, what controls can 406 00:19:59,450 --> 00:20:03,109 S2: I put into place and actually really take a solid 407 00:20:03,109 --> 00:20:05,570 S2: dent on, like the harm that you can do from 408 00:20:05,570 --> 00:20:09,260 S2: a compromised mailbox? Um, so I like that way of 409 00:20:09,260 --> 00:20:10,070 S2: thinking a lot. 410 00:20:10,950 --> 00:20:15,810 S1: Yeah. Yeah, I think it's really interesting. I love that 411 00:20:15,810 --> 00:20:19,350 S1: you're thinking in less the same way. I, I very 412 00:20:19,350 --> 00:20:21,600 S1: much think that way. I think of a risk register 413 00:20:21,600 --> 00:20:25,650 S1: that way. I think of threat scenarios, uh, attack scenarios 414 00:20:25,650 --> 00:20:30,420 S1: like defenses. And you kind of just match them up. Yeah. Um, 415 00:20:30,420 --> 00:20:33,869 S1: I hate to say the a word, but, um, one 416 00:20:33,869 --> 00:20:37,110 S1: one thing, uh, that I think about a lot is, 417 00:20:37,109 --> 00:20:40,709 S1: is like, okay, if one of those things is convincing 418 00:20:40,710 --> 00:20:44,699 S1: somebody to do something. Yes. Like, hey, it's time to go, uh, 419 00:20:44,700 --> 00:20:47,910 S1: go send this money. I need it urgently. Yeah. You 420 00:20:47,910 --> 00:20:51,419 S1: can ask, uh, an LLM or AI or whatever. Like 421 00:20:51,570 --> 00:20:55,980 S1: is is someone applying pressure of urgency here? Yes. Yes. Um, 422 00:20:55,980 --> 00:20:58,500 S1: and is that sense of urgency tied to a thing 423 00:20:58,500 --> 00:21:00,840 S1: that matters a lot, like sending money? Yes. 424 00:21:00,840 --> 00:21:02,040 S3: Right. Yeah. 425 00:21:02,040 --> 00:21:04,919 S1: So you could just build this, you know, very large 426 00:21:04,920 --> 00:21:07,140 S1: list of like, all the different bad things. And like 427 00:21:07,140 --> 00:21:10,290 S1: you said, it's, um, there could be API keys, there 428 00:21:10,290 --> 00:21:13,500 S1: could be, um, uh, one of the big things a 429 00:21:13,500 --> 00:21:16,800 S1: lot of foreign actors do, as you know, more than me, 430 00:21:16,800 --> 00:21:19,889 S1: is like, go after sources and look for, like, with 431 00:21:19,890 --> 00:21:22,530 S1: reporters and stuff like that. Yes. So if you just 432 00:21:22,530 --> 00:21:25,740 S1: had this giant grid of like all these different situations 433 00:21:25,740 --> 00:21:28,800 S1: and be like, oh, this one, we could do LLM 434 00:21:28,800 --> 00:21:31,350 S1: to detect that this one is just a setting inside 435 00:21:31,350 --> 00:21:34,350 S1: the platform to do that one. Yes. I love that 436 00:21:34,350 --> 00:21:35,760 S1: comprehensive approach. 437 00:21:35,760 --> 00:21:38,760 S2: 100% agree with you. Um, and in fact, the thing 438 00:21:38,760 --> 00:21:41,790 S2: that you just pointed out, we literally use LMS for 439 00:21:41,790 --> 00:21:43,109 S2: on the detection side because. 440 00:21:43,109 --> 00:21:43,709 S3: Sometimes. 441 00:21:43,710 --> 00:21:47,550 S2: Because sometimes, um, you know, to be honest, like a 442 00:21:47,550 --> 00:21:50,790 S2: lot of the kind of NLU stuff of like detecting 443 00:21:50,790 --> 00:21:53,760 S2: things like urgency and stuff like that that's been around 444 00:21:53,760 --> 00:21:57,000 S2: for a while, but then like there's and it didn't 445 00:21:57,000 --> 00:21:59,580 S2: require LMS, you know, you can train like a traditional 446 00:21:59,580 --> 00:22:03,149 S2: machine learning model. But what is cool about LMS is 447 00:22:03,150 --> 00:22:06,420 S2: that the speed of iteration is very fast. So like 448 00:22:06,420 --> 00:22:09,359 S2: you can very quickly put things in. You don't have 449 00:22:09,359 --> 00:22:12,960 S2: to worry about things like, you know, multi-language support because 450 00:22:12,960 --> 00:22:15,899 S2: that's handled by the LM. And then also where it 451 00:22:15,900 --> 00:22:19,890 S2: really becomes handy is for things that are even more complicated. So, 452 00:22:19,890 --> 00:22:22,140 S2: you know, I'll give you an example, like if I'm 453 00:22:22,140 --> 00:22:24,629 S2: a company and I'm trying to protect sensitive email, some 454 00:22:24,630 --> 00:22:25,800 S2: of it is going to be kind of like the 455 00:22:25,800 --> 00:22:29,969 S2: classic like Social Security numbers, credit card numbers, whatever. But 456 00:22:29,970 --> 00:22:31,560 S2: some of it is going to be like, is there 457 00:22:31,560 --> 00:22:34,020 S2: a negotiation happening in this email thread? 458 00:22:34,020 --> 00:22:34,950 S3: Yes. 459 00:22:34,950 --> 00:22:36,780 S2: It's like, how the hell do you how do you 460 00:22:36,780 --> 00:22:39,689 S2: like write a detection for that? You know, like you write, 461 00:22:39,690 --> 00:22:43,109 S2: it's really hard. Uh, or like, oh, it's like is 462 00:22:43,109 --> 00:22:47,220 S2: a executive abusing power in this email thread, uh, where 463 00:22:47,250 --> 00:22:49,859 S2: like if it got if it leaked like it would like, 464 00:22:49,859 --> 00:22:52,920 S2: have a reputational damage. Um, that's the kind of stuff 465 00:22:52,920 --> 00:22:55,800 S2: that is very difficult or like, you know, you see, 466 00:22:55,830 --> 00:23:00,570 S2: kind of like examples of, like extortion or like blackmail. Um, 467 00:23:00,570 --> 00:23:04,470 S2: so for those types of things, LMS are fantastic detection 468 00:23:04,470 --> 00:23:07,650 S2: tools because, I mean, their job is to understand language literally. Right? 469 00:23:07,650 --> 00:23:11,250 S2: So like, they're very, very good at that. Um, I 470 00:23:11,250 --> 00:23:15,000 S2: think a lot of the email security discussion with LMS 471 00:23:15,000 --> 00:23:19,350 S2: has actually been pretty like pessimistic because people's heads immediately 472 00:23:19,350 --> 00:23:22,320 S2: go to, oh my God, like, this thing can generate text, 473 00:23:22,320 --> 00:23:24,510 S2: which means it can generate phishing emails. And so like 474 00:23:24,510 --> 00:23:26,609 S2: now all of a sudden any bad guy can write 475 00:23:26,609 --> 00:23:31,109 S2: emails and like send them. And, you know, there there 476 00:23:31,109 --> 00:23:33,390 S2: is an element of truth to that for sure. Because like, 477 00:23:33,390 --> 00:23:37,710 S2: you can kind of scale up any kind of like phishing, um, uh, 478 00:23:37,710 --> 00:23:41,340 S2: campaign just by like, you know, doing research via the 479 00:23:41,340 --> 00:23:45,450 S2: LMS and having it customized. So 100% is a valid 480 00:23:45,450 --> 00:23:48,840 S2: it's a valid fear. But my kind of answer to 481 00:23:48,840 --> 00:23:51,720 S2: that has always been like, well, shouldn't your good security 482 00:23:51,720 --> 00:23:56,310 S2: controls be sort of, um, agnostic to how an attack 483 00:23:56,310 --> 00:23:58,740 S2: is generated? Like, who cares if it's like a person 484 00:23:58,740 --> 00:24:01,949 S2: writing the email themselves after hours of research, or they 485 00:24:01,950 --> 00:24:04,470 S2: just automated it with like an LLM? At the end 486 00:24:04,470 --> 00:24:06,240 S2: of the day, if you have a good control in place, 487 00:24:06,240 --> 00:24:10,260 S2: like it shouldn't matter. And so and by the way, 488 00:24:10,260 --> 00:24:13,080 S2: like a lot of these AI tools like LMS are 489 00:24:13,080 --> 00:24:16,380 S2: a fantastic on the defensive side too. So I would 490 00:24:16,380 --> 00:24:18,570 S2: personally like to see a little bit more optimism there. Uh, 491 00:24:18,570 --> 00:24:21,300 S2: because like so far, a lot of the fear mongering 492 00:24:21,300 --> 00:24:23,490 S2: around LMS has been, oh God, they're going to write 493 00:24:23,520 --> 00:24:26,250 S2: ten more phishing emails. And it's like, yes, but like 494 00:24:26,250 --> 00:24:29,939 S2: your control should work anyway. Good ones at least. And secondly, 495 00:24:29,940 --> 00:24:32,190 S2: you can also use them on the defensive side. So 496 00:24:32,190 --> 00:24:34,230 S2: there's there's a lot to be optimistic about. 497 00:24:34,230 --> 00:24:37,170 S1: Yeah I love that. The way I've been framing that 498 00:24:37,170 --> 00:24:41,020 S1: is um. Uh, Red is going to have like this 499 00:24:41,020 --> 00:24:43,960 S1: massive advantage in the beginning because they could just like 500 00:24:43,960 --> 00:24:46,719 S1: they don't have to experiment and be careful. Yeah. They 501 00:24:46,720 --> 00:24:49,359 S1: could just like so the spearfishing like, starts the day 502 00:24:49,359 --> 00:24:51,070 S1: after an LM comes out. Yes. 503 00:24:51,070 --> 00:24:51,790 S2: Yeah. Exactly. 504 00:24:51,790 --> 00:24:52,090 S3: Yeah. 505 00:24:52,090 --> 00:24:56,740 S1: But um, blue should actually get better with those same 506 00:24:56,740 --> 00:24:57,580 S1: AI tools. 507 00:24:57,580 --> 00:24:57,970 S3: Yeah. 508 00:24:57,970 --> 00:25:01,119 S1: So ideally it would be something like oh we have a, 509 00:25:01,300 --> 00:25:04,390 S1: we have a Sea team member who is like just 510 00:25:04,390 --> 00:25:07,420 S1: so ego driven. And if you compliment them in any 511 00:25:07,420 --> 00:25:10,720 S1: way and like say, hey, I want you to lead 512 00:25:10,720 --> 00:25:13,270 S1: this new foundation or something like they're going to click 513 00:25:13,270 --> 00:25:14,020 S1: that email. 514 00:25:14,500 --> 00:25:14,710 S3: Yeah. 515 00:25:14,710 --> 00:25:16,270 S1: So you flagged that or something. 516 00:25:16,270 --> 00:25:16,600 S3: Yeah. 517 00:25:16,840 --> 00:25:19,210 S1: This goes back to what I think so cool about. 518 00:25:19,210 --> 00:25:19,810 S3: That would be funny. 519 00:25:19,810 --> 00:25:22,690 S2: It's like this email is complimenting you. You don't ever 520 00:25:22,690 --> 00:25:24,369 S2: get compliments. This especially. 521 00:25:24,790 --> 00:25:25,149 S3: Right. 522 00:25:25,150 --> 00:25:29,020 S1: That's right. And you click on 94 of them 94% 523 00:25:29,020 --> 00:25:30,940 S1: of them when you do get to compliment. So this 524 00:25:30,940 --> 00:25:35,850 S1: is dangerous. Um, yeah. Yeah. So it's like. The other 525 00:25:35,850 --> 00:25:38,730 S1: thing that's really powerful about this is, um, you can 526 00:25:38,730 --> 00:25:43,500 S1: have additional context customized for your particular company. Yeah. So 527 00:25:43,500 --> 00:25:46,770 S1: it's like, um, we're doing this thing with France or something. 528 00:25:46,770 --> 00:25:50,280 S1: It's really sensitive. Yes. And, uh, so anything around that is, 529 00:25:50,280 --> 00:25:52,110 S1: you know, notch that up two levels. 530 00:25:52,109 --> 00:25:52,530 S3: Totally. 531 00:25:52,530 --> 00:25:55,350 S2: Totally. Yeah, yeah. And so, yeah, we've been talking about 532 00:25:55,350 --> 00:25:59,100 S2: kind of like suspicious or malicious emails, but LMS like 533 00:25:59,100 --> 00:26:01,770 S2: I think you just alluded to also very helpful for 534 00:26:01,770 --> 00:26:05,340 S2: the sensitive emails because like yes. Yeah. To your point, 535 00:26:05,340 --> 00:26:08,550 S2: like maybe today you want to say something like anything 536 00:26:08,550 --> 00:26:11,040 S2: about this project or we're about to we're prepping to 537 00:26:11,040 --> 00:26:13,830 S2: go to IPO. Uh, not material, but as a hypothetical. 538 00:26:13,830 --> 00:26:14,400 S3: Right. Exactly. 539 00:26:14,400 --> 00:26:19,719 S2: Like it's like, uh. How any conversation around like IPO 540 00:26:19,720 --> 00:26:22,390 S2: prep is pretty sensitive. Like, but how do you how 541 00:26:22,390 --> 00:26:25,660 S2: do you declare that as a general sensitive content category, 542 00:26:25,660 --> 00:26:29,320 S2: it's pretty hard without something like an LLM. So leveraging 543 00:26:29,320 --> 00:26:33,340 S2: them for those custom detection categories or context specific detection 544 00:26:33,340 --> 00:26:36,190 S2: categories is very exciting. Um, and I and I think 545 00:26:36,190 --> 00:26:39,250 S2: that that is the way the, the sort of like, uh, 546 00:26:39,250 --> 00:26:40,780 S2: security controls are headed. 547 00:26:41,500 --> 00:26:45,340 S1: Yeah, absolutely. The other use case I thought about for 548 00:26:45,340 --> 00:26:49,120 S1: a long time about that is like, um, legal companies 549 00:26:49,119 --> 00:26:50,290 S1: were being attacked. 550 00:26:50,320 --> 00:26:50,920 S3: Um, law. 551 00:26:50,920 --> 00:26:54,340 S1: Firms. Yeah. And they have very little IT staff, very 552 00:26:54,340 --> 00:26:58,090 S1: little security knowledge. Yes. And what they have is this 553 00:26:58,090 --> 00:27:02,710 S1: list of connections, people interacting with different people. Yeah. Uh, 554 00:27:02,710 --> 00:27:05,890 S1: suing different people. And it's like, that's the mapping that 555 00:27:05,890 --> 00:27:07,629 S1: that attacker might want, want to use. 556 00:27:07,630 --> 00:27:08,560 S3: Yes. Yeah. 557 00:27:08,560 --> 00:27:11,139 S2: Totally. Well, and that's another I mean, that brings up 558 00:27:11,140 --> 00:27:14,050 S2: one other point about email that is hard, is that 559 00:27:14,050 --> 00:27:17,500 S2: the way email works is when when a message is 560 00:27:17,500 --> 00:27:21,970 S2: sent to multiple people, uh, everyone gets a copy, obviously. Right. 561 00:27:21,970 --> 00:27:24,850 S2: So there's no like pointer relationship with email. Like you 562 00:27:24,850 --> 00:27:29,080 S2: each get a copy, which means that one of the 563 00:27:29,080 --> 00:27:30,790 S2: downsides is that is like you could be doing a 564 00:27:30,790 --> 00:27:33,609 S2: great job with your own email security and like, you 565 00:27:33,609 --> 00:27:37,060 S2: could have minimized the impact of a compromised account or whatever. 566 00:27:37,060 --> 00:27:40,510 S2: But then like the person who was CC'd, like, you know, 567 00:27:40,510 --> 00:27:42,820 S2: they might have terrible, you know, when when we started 568 00:27:42,820 --> 00:27:45,340 S2: the company, like I mentioned, it was after the 2016 569 00:27:45,340 --> 00:27:48,429 S2: election cycle, and one of the attacks that happened then 570 00:27:48,430 --> 00:27:50,950 S2: was John Podesta, who was Hillary's campaign chairman. He had 571 00:27:50,950 --> 00:27:54,400 S2: his personal Gmail account compromised, and all of his emails 572 00:27:54,400 --> 00:27:56,980 S2: were put on Wikileaks, like literally like years and years 573 00:27:56,980 --> 00:28:00,399 S2: of his personal Gmail. And and there were things in 574 00:28:00,400 --> 00:28:03,040 S2: there that he was just seized on. He had literally 575 00:28:03,040 --> 00:28:05,200 S2: no reason to even be on the message. He was 576 00:28:05,200 --> 00:28:09,400 S2: just CC. And because of that, all this communication that 577 00:28:09,400 --> 00:28:13,389 S2: was about like the election or about like prepping for 578 00:28:13,390 --> 00:28:17,560 S2: something that like, frankly, he just was being an FYI on. Yeah. 579 00:28:17,890 --> 00:28:20,530 S2: You know, um, so I think the, the fact that 580 00:28:20,530 --> 00:28:23,380 S2: everybody gets a copy is hard. And what that means 581 00:28:23,380 --> 00:28:25,090 S2: is you kind of have to think about who you're 582 00:28:25,090 --> 00:28:28,240 S2: like trusted parties are that are outside of your control 583 00:28:28,240 --> 00:28:31,690 S2: and make sure they have good practices, you know, which 584 00:28:31,690 --> 00:28:34,119 S2: which becomes a it's kind of like, uh, similar to 585 00:28:34,119 --> 00:28:37,060 S2: a supply chain security problem, right? Where you're like on 586 00:28:37,060 --> 00:28:39,670 S2: the software side, you're thinking about all the dependencies your 587 00:28:39,670 --> 00:28:42,550 S2: software has on the kind of email side, you might 588 00:28:42,550 --> 00:28:45,970 S2: have to think about all the different, um, associates of 589 00:28:45,970 --> 00:28:48,820 S2: your company that have, you know, your email as well. 590 00:28:48,970 --> 00:28:53,290 S1: Yeah. Or like, uh, PCI where the scope is contagious. Yeah. 591 00:28:53,290 --> 00:28:55,990 S1: It like slightly brushes up against it. Now that's in scope. 592 00:28:55,990 --> 00:28:59,620 S1: It's like yeah, yeah, yeah. Interesting. Um, so so what 593 00:28:59,620 --> 00:29:03,550 S1: does it look like to basically onboard the tech. Like 594 00:29:03,550 --> 00:29:06,520 S1: what does the integration look like. What's the experience like 595 00:29:06,520 --> 00:29:08,530 S1: how fast can somebody get up and running. 596 00:29:08,740 --> 00:29:11,080 S2: Yeah. So it's incredibly fast. And the reason for that 597 00:29:11,080 --> 00:29:14,380 S2: is everything we do uh works with cloud mailboxes which 598 00:29:14,380 --> 00:29:18,310 S2: have APIs. So our whole integration point, um, is API based. 599 00:29:18,310 --> 00:29:21,459 S2: It's just an OAuth grant where we are getting access 600 00:29:21,460 --> 00:29:25,090 S2: to email via API. Uh, which is a big difference 601 00:29:25,090 --> 00:29:27,790 S2: from like, uh, you know, legacy email security products that 602 00:29:27,790 --> 00:29:28,600 S2: some folks might. 603 00:29:28,600 --> 00:29:30,190 S3: Be away or something. Yeah. 604 00:29:30,190 --> 00:29:32,860 S2: Where you're like changing your DNS and like routing email 605 00:29:32,860 --> 00:29:35,710 S2: through the appliance, like you're not doing any of that. Um, 606 00:29:35,710 --> 00:29:38,650 S2: as a result, the integration is very quick. But also 607 00:29:38,650 --> 00:29:41,980 S2: it means that you don't take some dependency on this 608 00:29:41,980 --> 00:29:45,100 S2: API based thing going down and like, you know, shutting 609 00:29:45,100 --> 00:29:47,709 S2: off your email, like, for example, like if material were 610 00:29:47,710 --> 00:29:49,720 S2: to go down, it's not like email stops flowing. You're 611 00:29:49,720 --> 00:29:52,930 S2: still you're still doing email as usual. Of course, some 612 00:29:52,930 --> 00:29:55,270 S2: of the detections material does or some of the mitigations 613 00:29:55,270 --> 00:29:57,820 S2: it does would be would not be active. But we're 614 00:29:57,820 --> 00:30:00,940 S2: not in your email flow. Um, so it's pretty quick. 615 00:30:00,940 --> 00:30:03,430 S2: The other benefit of APIs is you can be very 616 00:30:03,430 --> 00:30:06,790 S2: selective in how you deploy that, deploy the protection inside 617 00:30:06,790 --> 00:30:10,030 S2: your company. So for example, with gateways, it's a kind 618 00:30:10,030 --> 00:30:12,489 S2: of an all or nothing you like do a cutover. Um, 619 00:30:12,490 --> 00:30:16,060 S2: but with API based email security products, you can say, hey, 620 00:30:16,060 --> 00:30:19,780 S2: for my executives do X, but for my other team Y, 621 00:30:19,780 --> 00:30:21,970 S2: you know, you can kind of have different settings, different 622 00:30:21,970 --> 00:30:25,000 S2: kind of configurations or policies. So that is something that 623 00:30:25,000 --> 00:30:27,130 S2: a lot of our customers also take advantage of. 624 00:30:27,760 --> 00:30:30,760 S1: Yeah, that's really cool. And what does it look like 625 00:30:30,760 --> 00:30:33,550 S1: to know that it's working. Like what is the interface 626 00:30:33,550 --> 00:30:37,600 S1: look like. Um, if there's nothing wrong, do you just 627 00:30:37,600 --> 00:30:39,730 S1: not see it? And then does it sort of move 628 00:30:39,730 --> 00:30:42,340 S1: up the level in priority if it sees something? 629 00:30:42,340 --> 00:30:43,000 S3: Yeah. 630 00:30:43,000 --> 00:30:45,340 S2: Well, we have a few different products. So depending on 631 00:30:45,340 --> 00:30:47,080 S2: the product we're talking about, you know, what you would 632 00:30:47,080 --> 00:30:49,630 S2: see is slightly different. So one of our products that 633 00:30:49,630 --> 00:30:52,270 S2: we've been talking about a little bit so far is uh, 634 00:30:52,270 --> 00:30:55,690 S2: we go and redact sensitive messages that are older than 635 00:30:55,690 --> 00:31:00,250 S2: some specified time frame. And uh, and then an end 636 00:31:00,250 --> 00:31:03,250 S2: user has to pass like an Okta challenge or some 637 00:31:03,250 --> 00:31:06,490 S2: sort of secondary challenge. Uh, it can be really any 638 00:31:06,520 --> 00:31:09,940 S2: IDP or so. If they pass that, then we restore 639 00:31:09,940 --> 00:31:12,670 S2: the message right back into the mailbox. It's really seamless. 640 00:31:12,670 --> 00:31:14,590 S2: And then after some amount of time, once the user 641 00:31:14,590 --> 00:31:16,770 S2: is kind of done with it, we will redact. Did again. 642 00:31:16,770 --> 00:31:19,950 S2: So for that product, what you see as an IT 643 00:31:19,950 --> 00:31:23,760 S2: or security admin is really not much on a day 644 00:31:23,760 --> 00:31:25,469 S2: to day basis, because it's kind of like just in 645 00:31:25,470 --> 00:31:28,380 S2: the background doing its thing. Uh, you do get an 646 00:31:28,380 --> 00:31:32,070 S2: access request log. So every time someone is accessing one 647 00:31:32,070 --> 00:31:34,410 S2: of these sensitive messages and having to do the retrieval, 648 00:31:34,410 --> 00:31:37,500 S2: now there's a paper trail of that, obviously you could 649 00:31:37,500 --> 00:31:40,620 S2: you could pipe that into like a SIM or something 650 00:31:40,620 --> 00:31:42,360 S2: and say, okay, like if I'm seeing a lot of 651 00:31:42,360 --> 00:31:46,230 S2: these from someone at the same time, that's that's indicative 652 00:31:46,230 --> 00:31:47,970 S2: of something bad. Or if I'm getting a lot of 653 00:31:47,970 --> 00:31:50,550 S2: denials in a row, obviously, that that ends up being 654 00:31:50,550 --> 00:31:53,790 S2: something bad, but really there's nothing to like, detect or 655 00:31:53,790 --> 00:31:56,130 S2: show on a daily basis because people are just doing 656 00:31:56,130 --> 00:32:01,140 S2: a self-serve, secure workflow for accessing sensitive content. Um, on 657 00:32:01,140 --> 00:32:03,300 S2: the other hand, we do have a product that is 658 00:32:03,300 --> 00:32:05,910 S2: a much more in the kind of traditional look for 659 00:32:05,910 --> 00:32:09,450 S2: sophisticated attacks that bypass like Google or Microsoft or Proofpoint 660 00:32:09,450 --> 00:32:12,690 S2: or whatever. Um, and there you have like a, you know, 661 00:32:12,690 --> 00:32:15,719 S2: an incidence or cases list where you're seeing kind of 662 00:32:15,720 --> 00:32:19,590 S2: what material actually detected. Some companies set us up where 663 00:32:19,590 --> 00:32:21,840 S2: we're just auto remediating those. And again, you don't really 664 00:32:21,840 --> 00:32:23,730 S2: have to log into the console. There's nothing to see. 665 00:32:23,730 --> 00:32:26,970 S2: We're just handling them. Other teams are much more hands 666 00:32:26,970 --> 00:32:29,400 S2: on where they might auto remediate, but then they want 667 00:32:29,400 --> 00:32:31,650 S2: to still like triage the things that we actually caught 668 00:32:31,650 --> 00:32:35,100 S2: make sure they're not false positives. Um, you know, communicate 669 00:32:35,100 --> 00:32:37,620 S2: to end users about it, have their sort of, um, 670 00:32:37,620 --> 00:32:41,250 S2: SoC watch. That kind of really depends on how much, um, 671 00:32:41,250 --> 00:32:43,380 S2: how hands on a company wants to be. But that's 672 00:32:43,380 --> 00:32:44,760 S2: what they would see in the console. 673 00:32:45,330 --> 00:32:49,560 S1: Okay, cool. And then what is, um, the threat intelligence 674 00:32:49,560 --> 00:32:51,660 S1: story look like in terms of like, hey, there's this 675 00:32:51,660 --> 00:32:54,930 S1: new campaign happening, this new vulnerability or whatever. Yeah. And 676 00:32:54,930 --> 00:32:57,660 S1: it's like it's being blasted all over the internet. Yeah. Like, 677 00:32:57,660 --> 00:33:00,180 S1: what does that turnaround gap look like for you in 678 00:33:00,180 --> 00:33:03,330 S1: terms of like, uh, finding out about it and getting 679 00:33:03,330 --> 00:33:04,890 S1: into the product and rolling it out? 680 00:33:04,890 --> 00:33:07,650 S2: Yeah, it's a great question. Um, yeah. So email is 681 00:33:07,650 --> 00:33:11,550 S2: super dynamic. There's like always new kinds of campaigns. And 682 00:33:11,550 --> 00:33:14,190 S2: people are, uh, you know, trying out new tactics to 683 00:33:14,190 --> 00:33:17,070 S2: bypass kind of a lot of the traditional defenses. So 684 00:33:17,070 --> 00:33:19,410 S2: like one of the, one of the more recent things 685 00:33:19,410 --> 00:33:22,650 S2: is like QR codes, right? Like for a while, like 686 00:33:22,650 --> 00:33:25,560 S2: a lot of detection engines weren't exploding QR codes or 687 00:33:25,560 --> 00:33:27,510 S2: following the links. So that meant that like QR codes 688 00:33:27,510 --> 00:33:30,660 S2: were a really great way to deliver attacks. Um, we 689 00:33:30,660 --> 00:33:33,720 S2: have a couple different mechanisms. So first of all, one 690 00:33:33,720 --> 00:33:36,660 S2: of the things our product does is it also ingests 691 00:33:36,660 --> 00:33:39,960 S2: any user reporting that is happening inside a company. So 692 00:33:39,960 --> 00:33:42,270 S2: one of the best practices that every security team tries 693 00:33:42,270 --> 00:33:45,150 S2: to implement is they say, hey, uh, if you see something, 694 00:33:45,180 --> 00:33:48,090 S2: say something, right? Like, uh, and with email security, what 695 00:33:48,090 --> 00:33:50,520 S2: that normally looks like in most companies is, hey, we 696 00:33:50,520 --> 00:33:53,670 S2: have this like phishing mailing list, or we have like a, 697 00:33:53,670 --> 00:33:57,000 S2: like a, like a report phishing button or something where 698 00:33:57,000 --> 00:33:59,580 S2: please report it to us if you see something. So 699 00:33:59,580 --> 00:34:02,490 S2: we have a product that automates the response to those 700 00:34:02,490 --> 00:34:05,729 S2: user reports. So it ingests them. It auto classifies and 701 00:34:05,730 --> 00:34:09,030 S2: triages them, uh, looks for similar messages that the user 702 00:34:09,030 --> 00:34:12,180 S2: may not have reported, and then even responds back to 703 00:34:12,180 --> 00:34:14,700 S2: the user saying, hey, thanks for this report. Uh, it 704 00:34:14,700 --> 00:34:17,489 S2: was fine. Or actually that was a true positive. That 705 00:34:17,489 --> 00:34:20,910 S2: was bad. Anyway, so that ends up being a great 706 00:34:20,910 --> 00:34:24,480 S2: signal because across all customers, if they are users that 707 00:34:24,480 --> 00:34:27,540 S2: are reporting things that then we know are actually malicious, 708 00:34:27,540 --> 00:34:29,850 S2: that's a you know, we think of that as like 709 00:34:29,850 --> 00:34:31,890 S2: a oh, well, why didn't material just flag that in 710 00:34:31,890 --> 00:34:34,830 S2: the first place. And so it becomes this feedback loop. Um, 711 00:34:34,830 --> 00:34:37,710 S2: so the more customers we have, the more signal we 712 00:34:37,710 --> 00:34:39,989 S2: have from users reporting things. And we can quickly like 713 00:34:39,989 --> 00:34:42,450 S2: build it back into the product. The other thing is 714 00:34:42,450 --> 00:34:45,029 S2: we do have an in-house threat research team. You know, 715 00:34:45,030 --> 00:34:48,270 S2: their whole job is like focused on looking for these 716 00:34:48,270 --> 00:34:51,660 S2: active campaigns that are happening, looking for what some of 717 00:34:51,660 --> 00:34:54,900 S2: our more sophisticated customers are telling us that they're seeing, 718 00:34:54,900 --> 00:34:57,779 S2: and then quickly kind of iterating on our detection engine 719 00:34:57,780 --> 00:35:01,380 S2: to handle them. And then the the sort of like 720 00:35:01,380 --> 00:35:06,270 S2: last piece of this is, um, just investing in a 721 00:35:06,270 --> 00:35:09,899 S2: system that has a lot of flexibility. So in in 722 00:35:09,900 --> 00:35:13,109 S2: email security, there's kind of this interesting not like really 723 00:35:13,110 --> 00:35:15,810 S2: a debate, but there's this interesting kind of, uh, trend 724 00:35:15,810 --> 00:35:18,180 S2: emerging where there's a couple different approaches to the email 725 00:35:18,180 --> 00:35:21,090 S2: security problem. Like on the one hand, there's kind of 726 00:35:21,090 --> 00:35:24,540 S2: like the black box approach, which is like, hey, like AI, 727 00:35:24,540 --> 00:35:26,460 S2: machine learning, we're going to try to detect what we 728 00:35:26,460 --> 00:35:29,549 S2: can and like there aren't really knobs and tuning and 729 00:35:29,550 --> 00:35:31,500 S2: all that, but like this model is going to be 730 00:35:31,500 --> 00:35:33,900 S2: way better than trying to like handwrite a lot of rules. 731 00:35:33,900 --> 00:35:36,359 S2: Which makes sense because, you know, a lot of times 732 00:35:36,360 --> 00:35:38,460 S2: you have like never before seen attacks or you have 733 00:35:38,460 --> 00:35:41,100 S2: like things that are like, you know, there's no signature 734 00:35:41,100 --> 00:35:43,380 S2: that you can kind of rely on. And also, like, 735 00:35:43,380 --> 00:35:45,480 S2: no one wants to maintain this big list of rules 736 00:35:45,480 --> 00:35:47,459 S2: and things like that. So that's kind of one extreme. 737 00:35:47,460 --> 00:35:50,850 S2: The other extreme is, uh, you know, you're kind of 738 00:35:50,850 --> 00:35:55,080 S2: seeing like the detection as code, um, philosophy coming to 739 00:35:55,080 --> 00:35:57,660 S2: email security as well. And people are like, hey, we 740 00:35:57,660 --> 00:36:00,120 S2: have this list of detections we maintain we're going to 741 00:36:00,120 --> 00:36:01,859 S2: back test them. We're going to make sure they have 742 00:36:01,860 --> 00:36:04,680 S2: like a good precision rate. Um, and it gives a 743 00:36:04,680 --> 00:36:06,989 S2: lot of control, but it means you're doing a lot yourself. 744 00:36:06,989 --> 00:36:09,630 S2: You're hand tuning a lot of things. And there are 745 00:36:09,630 --> 00:36:12,509 S2: products that kind of help you and make that easier. 746 00:36:12,510 --> 00:36:14,609 S2: There are products that help you maintain that, you know, 747 00:36:14,610 --> 00:36:17,960 S2: we have customers that. Maintain like GitHub repositories of like 748 00:36:17,960 --> 00:36:21,290 S2: detections they've written, but it is kind of like very manual. 749 00:36:21,290 --> 00:36:23,450 S2: And then there's kind of somewhere in the middle where 750 00:36:23,450 --> 00:36:26,540 S2: you're like, hey, I don't want to be full black 751 00:36:26,540 --> 00:36:28,700 S2: box because they are going to be things that you miss. 752 00:36:28,700 --> 00:36:31,100 S2: And in those moments, like, you don't want to be like, oh, 753 00:36:31,100 --> 00:36:32,839 S2: I guess I'll just wait for the black box to 754 00:36:32,840 --> 00:36:35,510 S2: update and catch this. But on the other hand, you 755 00:36:35,510 --> 00:36:37,730 S2: really don't want to live in a world where most 756 00:36:37,730 --> 00:36:39,920 S2: of your time as a security team is spent on 757 00:36:39,920 --> 00:36:43,700 S2: like tuning or creating these, like, detections. Um, and so 758 00:36:43,700 --> 00:36:46,100 S2: what we're trying to do is like out of the box. 759 00:36:46,100 --> 00:36:49,580 S2: It's like, you know, going to be perfectly fine, have 760 00:36:49,580 --> 00:36:52,339 S2: a lot of coverage, pretty high precision, but then still 761 00:36:52,340 --> 00:36:55,219 S2: give you tools in the product where if you notice something, 762 00:36:55,219 --> 00:36:57,620 S2: if like you're aware of an active campaign that we're not, 763 00:36:57,620 --> 00:37:00,379 S2: you can quickly like express a detection in our product 764 00:37:00,380 --> 00:37:04,250 S2: or express a rule or a search query that will say, hey, 765 00:37:04,250 --> 00:37:06,890 S2: please treat this as malicious. Like, I know your whole 766 00:37:06,890 --> 00:37:09,650 S2: product hasn't updated yet, but like I know this is bad, 767 00:37:09,650 --> 00:37:11,779 S2: I just want to express it in your platform. I 768 00:37:11,780 --> 00:37:14,900 S2: should be able to. Um, so it's kind of a 769 00:37:14,900 --> 00:37:18,830 S2: product design philosophy, right? Which is like have the kind 770 00:37:18,830 --> 00:37:21,440 S2: of flexibility so that when you need it, it's available. 771 00:37:21,440 --> 00:37:24,259 S2: But treat that as almost an anti metric. Like if 772 00:37:24,260 --> 00:37:27,860 S2: people are having to create those flexible leverage that flexibility 773 00:37:27,860 --> 00:37:30,469 S2: a lot. It means you're kind of doing something wrong, right. 774 00:37:30,469 --> 00:37:32,690 S2: Like you really should have done it out of the box. 775 00:37:32,690 --> 00:37:33,469 S3: I absolutely. 776 00:37:33,469 --> 00:37:36,470 S1: Love that. I don't know if, um, you ever watch 777 00:37:36,469 --> 00:37:39,049 S1: Star Trek The Next Generation, but I was obsessed with 778 00:37:39,050 --> 00:37:41,510 S1: I was obsessed with the fact that the first time 779 00:37:41,510 --> 00:37:44,210 S1: they hit a Borg with the phaser. Yeah, like it 780 00:37:44,210 --> 00:37:47,900 S1: would fall over dead. And like, the third time the 781 00:37:47,900 --> 00:37:52,220 S1: entire Borg across the entire universe was updated. Yeah. And like, 782 00:37:52,219 --> 00:37:55,040 S1: that frequency would not work anymore. And I was just like, yeah, 783 00:37:55,040 --> 00:37:58,070 S1: that is, you know, I mean, security maybe. 784 00:37:58,310 --> 00:37:58,850 S3: Yeah. 785 00:37:58,850 --> 00:38:00,859 S2: I've never thought about it that way, but so true. 786 00:38:00,860 --> 00:38:01,640 S3: Yeah, yeah. 787 00:38:01,640 --> 00:38:05,450 S1: So that signal that they create that would obviously apply 788 00:38:05,450 --> 00:38:07,910 S1: to their local environment. But is that is that also 789 00:38:07,910 --> 00:38:11,029 S1: a signal to the, uh, the T team to be like, hey, 790 00:38:11,030 --> 00:38:12,319 S1: maybe we should put this in. 791 00:38:12,320 --> 00:38:15,739 S2: Yes, absolutely. And, um, one thing that we are very 792 00:38:15,739 --> 00:38:18,440 S2: conscious of is like, obviously we're getting access to a 793 00:38:18,440 --> 00:38:22,610 S2: companies like email. It's very, very sensitive. So, so the 794 00:38:22,610 --> 00:38:27,170 S2: whole material deployment and architecture, uh, model is that every 795 00:38:27,170 --> 00:38:31,160 S2: single customer has a single tenant environment that is actually 796 00:38:31,160 --> 00:38:33,500 S2: in their control. So they, they don't just get access 797 00:38:33,500 --> 00:38:36,890 S2: to our admin console like other SaaS, they actually can 798 00:38:36,890 --> 00:38:39,680 S2: log in to the underlying infrastructure that is hosting our 799 00:38:39,680 --> 00:38:42,890 S2: application because it's all single tenant. And so we get 800 00:38:42,890 --> 00:38:45,589 S2: to make some pretty cool guarantees, like of isolation and 801 00:38:45,590 --> 00:38:48,620 S2: making sure that there's no data sharing happening and that like, 802 00:38:48,620 --> 00:38:52,040 S2: data isn't leaving that instance unless it's permitted by a customer. 803 00:38:52,400 --> 00:38:55,400 S2: Having said that, though, a lot of our customers are 804 00:38:55,400 --> 00:38:59,420 S2: okay with a threat research team extracting the signal of, okay, what, 805 00:38:59,420 --> 00:39:01,670 S2: you know, what custom detections did you make or what 806 00:39:01,670 --> 00:39:04,160 S2: did your user reports? So where we have permission, which 807 00:39:04,160 --> 00:39:06,590 S2: tends to be in most cases, we are able to 808 00:39:06,590 --> 00:39:08,690 S2: look for those signals. But I do want to point 809 00:39:08,690 --> 00:39:10,880 S2: out that there are some customers who are like, nope, sorry. 810 00:39:10,880 --> 00:39:13,460 S2: Like this is too sensitive. Like we don't want your 811 00:39:13,460 --> 00:39:17,060 S2: team or anyone in material to have any access to 812 00:39:17,060 --> 00:39:19,940 S2: what we're doing. You can you can configure and deploy 813 00:39:19,940 --> 00:39:21,950 S2: us that way as well. And you know, there's kind 814 00:39:21,950 --> 00:39:24,800 S2: of like you can probably guess the types of organizations 815 00:39:24,800 --> 00:39:26,780 S2: that want to deploy us in that model. 816 00:39:26,960 --> 00:39:28,850 S1: No, that's a great point. And it goes to your 817 00:39:28,850 --> 00:39:32,300 S1: earlier point about flexibility. It's like you could be that 818 00:39:32,300 --> 00:39:36,200 S1: like three letter agency type group. That's like all closed doors. 819 00:39:36,230 --> 00:39:38,960 S1: Or it could be like, yeah, sharing with the Borg 820 00:39:38,960 --> 00:39:39,590 S1: or whatever. 821 00:39:39,590 --> 00:39:40,070 S3: Yeah. 822 00:39:40,070 --> 00:39:42,799 S2: Yeah. Exactly. And you know, and like the nice thing 823 00:39:42,800 --> 00:39:46,400 S2: here is like obviously like for these attacks and stuff 824 00:39:46,400 --> 00:39:49,580 S2: for the most part, like even just like getting like 825 00:39:50,060 --> 00:39:53,090 S2: anonymized data in terms of like, like it doesn't really matter. 826 00:39:53,090 --> 00:39:56,120 S2: Like which tenant or which customer it's targeting. It's just 827 00:39:56,120 --> 00:39:58,160 S2: a fact that like, it got missed. It's something you 828 00:39:58,160 --> 00:40:00,319 S2: can tweak so you kind of don't have to reveal 829 00:40:00,320 --> 00:40:04,160 S2: anything to other customers by participating in this. But having 830 00:40:04,160 --> 00:40:06,410 S2: said that, yeah, some some companies are just a lot 831 00:40:06,410 --> 00:40:10,370 S2: more closed and a lot more strict. And and that's okay. Uh, 832 00:40:10,370 --> 00:40:12,560 S2: we also have the other extreme where there's companies that 833 00:40:12,560 --> 00:40:14,810 S2: are like, dude, I just want to use this as SaaS. Like, 834 00:40:14,810 --> 00:40:17,000 S2: I don't care about the infrastructure. Like, I don't have 835 00:40:17,000 --> 00:40:19,700 S2: teams that like, want to, like, log into that and like, 836 00:40:19,700 --> 00:40:22,520 S2: I'm busy. Just just give me an admin console. That's 837 00:40:22,520 --> 00:40:24,620 S2: fine too, you know, like, uh, so we kind of 838 00:40:24,620 --> 00:40:26,450 S2: have support all of those models. 839 00:40:27,110 --> 00:40:29,840 S1: Okay. And what are the main products? I think we've 840 00:40:29,870 --> 00:40:32,450 S1: talked about 2 or 3 already, but like what what 841 00:40:32,450 --> 00:40:33,859 S1: are the main core products. 842 00:40:33,860 --> 00:40:37,610 S2: Yeah. So we have four main products. So the first 843 00:40:37,610 --> 00:40:39,649 S2: that we've been talking about is data protection. And that's 844 00:40:39,650 --> 00:40:43,550 S2: really focused on giving you visibility. And then the redaction 845 00:40:43,550 --> 00:40:46,520 S2: of sensitive messages that are in email. And again not 846 00:40:46,520 --> 00:40:50,630 S2: like outbound emails, not things I'm now sending, but really 847 00:40:50,630 --> 00:40:53,029 S2: focused on what's sitting in your archives that's going to 848 00:40:53,030 --> 00:40:55,640 S2: get you in trouble if a, if a mailbox was compromised, 849 00:40:55,640 --> 00:40:57,620 S2: or if an insider was trying to walk with a 850 00:40:57,620 --> 00:40:59,720 S2: lot of email on their last day or something. So 851 00:40:59,719 --> 00:41:03,020 S2: that's one. The second product is, uh, phishing protection. So 852 00:41:03,020 --> 00:41:05,810 S2: that is kind of the traditional email security where we're 853 00:41:05,810 --> 00:41:10,040 S2: looking for inbound attacks that may have been missed by 854 00:41:10,040 --> 00:41:12,350 S2: like a Google or a Microsoft or whatever other traditional 855 00:41:12,350 --> 00:41:15,020 S2: defenses you have in place. The third is a product 856 00:41:15,020 --> 00:41:18,330 S2: we call identity. Protection, where it's really focused on that 857 00:41:18,330 --> 00:41:20,910 S2: Dropbox example of like, hey, if you get into my 858 00:41:20,910 --> 00:41:24,270 S2: email account, can you now go reset Dropbox because you 859 00:41:24,270 --> 00:41:27,420 S2: just request a password reset? Or can you go to 860 00:41:27,420 --> 00:41:28,890 S2: slack and say, hey, can you send me one of 861 00:41:28,890 --> 00:41:31,350 S2: those magic sign in links? And then I can just 862 00:41:31,350 --> 00:41:33,900 S2: get into a slack workspace, even if slack is behind 863 00:41:33,900 --> 00:41:36,510 S2: so or MFA or whatever. Yeah. You literally click these 864 00:41:36,510 --> 00:41:38,190 S2: magic sign in links bypass link. 865 00:41:38,190 --> 00:41:38,550 S3: Yeah. 866 00:41:38,940 --> 00:41:41,670 S2: Um, so what we do there is something again, very simple. 867 00:41:41,670 --> 00:41:44,520 S2: It's another seat belt where we intercept those kinds of 868 00:41:44,520 --> 00:41:47,609 S2: messages and we make the end user prove that they 869 00:41:47,610 --> 00:41:50,520 S2: were the ones who actually requested them before delivering them. 870 00:41:50,520 --> 00:41:53,160 S2: So it's very simple. Like you go request a Dropbox 871 00:41:53,160 --> 00:41:56,670 S2: password reset. Now you first get an email from material 872 00:41:56,670 --> 00:41:59,040 S2: that says, hey, are you trying to reset your Dropbox password? 873 00:41:59,040 --> 00:42:01,890 S2: If you say yes, the Dropbox password reset email comes 874 00:42:01,890 --> 00:42:04,320 S2: in as usual. You go about your merry way. If 875 00:42:04,320 --> 00:42:07,170 S2: you say no, though, it means like I can't be 876 00:42:07,170 --> 00:42:09,330 S2: in your mailbox and then go get access to these 877 00:42:09,330 --> 00:42:13,770 S2: lateral things. And in a in a typical enterprise organization, 878 00:42:13,770 --> 00:42:16,470 S2: which is what we normally kind of sell to, um, 879 00:42:16,469 --> 00:42:19,469 S2: you will see hundreds of apps that are still doing 880 00:42:19,469 --> 00:42:23,100 S2: password resets or sign up verifications over email, even though 881 00:42:23,100 --> 00:42:26,250 S2: they're supposed to be under SSL. So like a common 882 00:42:26,250 --> 00:42:30,690 S2: culprit is like Salesforce, uh, or, you know, workday where 883 00:42:30,690 --> 00:42:33,989 S2: like you think they're behind. So or ADP is another 884 00:42:33,989 --> 00:42:36,090 S2: one where you think you've kind of handled them, but 885 00:42:36,090 --> 00:42:38,550 S2: there's some backdoor happening over email that you like, forgot 886 00:42:38,550 --> 00:42:41,760 S2: about or you misconfigured. And then there's all these like 887 00:42:41,760 --> 00:42:44,730 S2: consumer apps that are like not never going to support 888 00:42:44,730 --> 00:42:47,340 S2: SFO but are still valid in the corporate settings. So 889 00:42:47,340 --> 00:42:49,920 S2: like Twitter I gave as an example. Right. Like obviously 890 00:42:49,920 --> 00:42:51,960 S2: your marketing team has a Twitter account, but Twitter is 891 00:42:51,960 --> 00:42:55,650 S2: not going to support any type of identity thing. Um, 892 00:42:56,040 --> 00:42:58,680 S2: and then our fourth product is basically what we call 893 00:42:58,680 --> 00:43:02,219 S2: posture management. And it really is about helping you understand 894 00:43:02,219 --> 00:43:05,430 S2: what's even going on with your email environment, uh, and 895 00:43:05,430 --> 00:43:09,960 S2: broadly your Google Workspace or M365 environment. So for example, um, 896 00:43:09,960 --> 00:43:12,870 S2: when I was at Dropbox, if I walked into our 897 00:43:12,870 --> 00:43:16,919 S2: company and created a auto forward of all of my 898 00:43:16,920 --> 00:43:21,000 S2: corporate mail to my personal Gmail, literally no one would 899 00:43:21,000 --> 00:43:23,549 S2: know and no one would come and do anything about it. 900 00:43:23,550 --> 00:43:26,879 S2: And the reason is because, um, just getting that kind 901 00:43:26,880 --> 00:43:30,030 S2: of information out of like some of these productivity suites 902 00:43:30,030 --> 00:43:32,550 S2: can be very hard. And a lot of times people 903 00:43:32,550 --> 00:43:35,880 S2: haven't really built like detection or response playbooks around them, 904 00:43:35,880 --> 00:43:39,270 S2: and they can't outright block this kind of behavior from 905 00:43:39,270 --> 00:43:42,450 S2: happening because sometimes they are legitimate use cases for auto forwards, 906 00:43:42,450 --> 00:43:44,100 S2: for example. So you can't just like block it at 907 00:43:44,100 --> 00:43:47,400 S2: the tenant level. So we look for all sorts of 908 00:43:47,400 --> 00:43:52,830 S2: behavior or settings or misconfigurations in M365 or Google Workspace, 909 00:43:52,830 --> 00:43:55,470 S2: and we just surfaced them with recommendations of how to 910 00:43:55,469 --> 00:43:58,589 S2: reduce that kind of risk. And that's part of the 911 00:43:58,590 --> 00:44:01,020 S2: posture management product. So yeah, those are the four. 912 00:44:01,560 --> 00:44:04,980 S1: Yeah. Those are those are great. That is they all 913 00:44:04,980 --> 00:44:08,820 S1: do definitely complement each other. I really like the last one, 914 00:44:08,820 --> 00:44:12,029 S1: especially because I feel like that is so much of 915 00:44:12,030 --> 00:44:15,660 S1: the game is like just not knowing. It's like leaving 916 00:44:15,660 --> 00:44:19,230 S1: open S3 buckets. It's like you're spending all this money 917 00:44:19,230 --> 00:44:22,230 S1: on security and then you've got this thing dangling. Yeah. 918 00:44:22,230 --> 00:44:25,830 S1: And uh, yeah, there's so many settings as well. So 919 00:44:25,830 --> 00:44:26,580 S1: it's hard for me. 920 00:44:26,969 --> 00:44:29,069 S2: I actually think that, you know, it's a funny story 921 00:44:29,070 --> 00:44:31,650 S2: about that. When we first started the company, it was 922 00:44:31,650 --> 00:44:35,250 S2: just the data protection, uh, feature, the redaction one. That's 923 00:44:35,250 --> 00:44:36,960 S2: really what led us to start this company in the 924 00:44:36,960 --> 00:44:40,379 S2: first place. When we went and talked to CISOs or 925 00:44:40,380 --> 00:44:43,169 S2: security teams about that, the first question we would obviously 926 00:44:43,170 --> 00:44:46,590 S2: get is like, hey, cool. Like you have this awesome 927 00:44:46,590 --> 00:44:50,400 S2: control for sensitive content in the mailbox. What sensitive content 928 00:44:50,400 --> 00:44:52,920 S2: do I even have in mailboxes? Like, right. Like, do 929 00:44:52,920 --> 00:44:55,200 S2: I even need this? Like, I have no idea. Like, 930 00:44:55,200 --> 00:44:57,660 S2: it's like, I suspect that I probably need this, but like, 931 00:44:57,660 --> 00:45:00,450 S2: I have no idea. And so we were like, oh shit. Like, 932 00:45:00,450 --> 00:45:03,300 S2: obviously like step one is to give you visibility and 933 00:45:03,300 --> 00:45:06,990 S2: help you understand what even is there. And so, like, selfishly, 934 00:45:06,989 --> 00:45:09,180 S2: for us, it kind of helped us tell the story 935 00:45:09,180 --> 00:45:10,980 S2: of why you need some of the controls that we're 936 00:45:10,980 --> 00:45:15,180 S2: talking about, but also for, for security teams, it's often 937 00:45:15,180 --> 00:45:17,640 S2: step one anyway, which is just like, okay, like now 938 00:45:17,640 --> 00:45:19,560 S2: I have a lay of the land. The other thing 939 00:45:19,560 --> 00:45:22,530 S2: is you kind of mentioned the S3 bucket. And that 940 00:45:22,530 --> 00:45:26,100 S2: I think is a really great point. Like it is 941 00:45:26,100 --> 00:45:29,490 S2: a very well understood in cloud security that like, you know, 942 00:45:29,489 --> 00:45:33,660 S2: Cspm is like cnaps all this stuff like are very, 943 00:45:33,660 --> 00:45:36,600 S2: you know, well understood category. People understand why they need 944 00:45:36,630 --> 00:45:39,359 S2: them because there's all this stuff happening in your cloud environment. 945 00:45:39,360 --> 00:45:43,980 S2: There's different teams, uh, creating like software, uh, all these 946 00:45:43,980 --> 00:45:46,830 S2: settings to think about. And so you need a platform 947 00:45:46,830 --> 00:45:49,830 S2: that's like looking at behavior, looking at vulnerabilities and kind 948 00:45:49,830 --> 00:45:53,100 S2: of like showcasing the top, riskiest ones and helping you 949 00:45:53,100 --> 00:45:57,060 S2: address them literally, word for word. Everything I just said 950 00:45:57,060 --> 00:46:01,410 S2: applies to the productivity suite, right? Like M365 and Google Workspace. 951 00:46:01,410 --> 00:46:05,009 S2: And yet there isn't really a cspm equivalent for just 952 00:46:05,010 --> 00:46:10,440 S2: those products. There's there are SPM tools where they're like, oh, well, 953 00:46:10,440 --> 00:46:13,980 S2: we cover 50 apps and M365 is one of them. 954 00:46:13,980 --> 00:46:16,500 S2: And because they cover 50. The apps. It's hard for 955 00:46:16,500 --> 00:46:19,860 S2: them to go deep on the productivity suite. Um, and 956 00:46:19,860 --> 00:46:23,399 S2: so they'll give a some surface level detections, but the 957 00:46:23,400 --> 00:46:25,980 S2: sort of like depth of a cspm that is entirely 958 00:46:25,980 --> 00:46:30,690 S2: focused on cloud security does not exist for the productivity suite. 959 00:46:30,690 --> 00:46:33,270 S2: And it's an area that we're at material like, very 960 00:46:33,270 --> 00:46:36,570 S2: excited about pursuing, because I don't really see a good 961 00:46:36,570 --> 00:46:38,189 S2: reason that there isn't an equivalent. 962 00:46:39,020 --> 00:46:42,469 S1: Yeah, especially when the implications of a setting being one 963 00:46:42,469 --> 00:46:47,090 S1: way versus another are so huge. Yeah, right. And there's 964 00:46:47,090 --> 00:46:49,310 S1: also a lot of opportunity there to be like, look 965 00:46:49,310 --> 00:46:52,160 S1: you are this type of risk posture of a company. 966 00:46:52,160 --> 00:46:55,430 S1: You really care about these relationships or whatever. So out 967 00:46:55,430 --> 00:46:59,570 S1: of the 312 settings available in this platform, we recommend 968 00:46:59,570 --> 00:47:00,740 S1: the following settings three. 969 00:47:00,739 --> 00:47:03,049 S2: Yeah, totally. Um, and it's kind of similar to what 970 00:47:03,050 --> 00:47:04,700 S2: you were saying earlier, right? Like if you make a 971 00:47:04,700 --> 00:47:08,450 S2: register of the like most common attacks anyway, and you 972 00:47:08,450 --> 00:47:11,089 S2: just start with that, like here, here, like the 10 973 00:47:11,090 --> 00:47:14,240 S2: or 15 things that like are almost always the culprits 974 00:47:14,239 --> 00:47:17,509 S2: like and again, Cspm learned that a while ago and 975 00:47:17,510 --> 00:47:19,819 S2: I think they're like, okay. Yeah. Like we keep leaving 976 00:47:19,820 --> 00:47:23,000 S2: buckets open, like, let's stop doing this. You know, I 977 00:47:23,000 --> 00:47:26,540 S2: think that there are equivalents, uh, in, for example, like 978 00:47:26,540 --> 00:47:28,940 S2: we have a product, we have a fifth product that 979 00:47:28,940 --> 00:47:31,910 S2: I actually forgot to mention that is very new, and 980 00:47:31,910 --> 00:47:34,549 S2: it focuses on Google Drive. So a lot of the 981 00:47:34,550 --> 00:47:36,740 S2: same stuff that we had heard over the years with 982 00:47:36,739 --> 00:47:40,760 S2: sensitive content in email, people were like, our customers were like, hey, 983 00:47:41,150 --> 00:47:43,100 S2: I have a lot of these problems with Google Drive, 984 00:47:43,100 --> 00:47:47,180 S2: like just the files. And, um, and that product is 985 00:47:47,180 --> 00:47:50,060 S2: all about detecting kind of oversharing, because a lot of 986 00:47:50,060 --> 00:47:53,270 S2: times what happens is it literally equivalent to the S3 bucket? 987 00:47:53,270 --> 00:47:55,940 S2: You might have some file that was shared at one 988 00:47:55,940 --> 00:47:59,450 S2: point with anyone with the link permissions, uh, even though 989 00:47:59,450 --> 00:48:01,910 S2: like it didn't need to be and it's got sensitive content. 990 00:48:01,910 --> 00:48:03,680 S2: And now it's been two years since anyone has ever 991 00:48:03,680 --> 00:48:07,130 S2: looked at it. But, you know, it's mentioned in some 992 00:48:07,130 --> 00:48:09,109 S2: email that might be part of a breach. And now 993 00:48:09,110 --> 00:48:11,960 S2: all of a sudden it's accessible. So how do you 994 00:48:11,960 --> 00:48:13,640 S2: go clean that up? Like you're not going to have 995 00:48:13,640 --> 00:48:16,759 S2: a security team that's sitting around like auditing their Google Drive, 996 00:48:16,760 --> 00:48:19,520 S2: which has like millions of files. So you can automate that. 997 00:48:19,520 --> 00:48:21,530 S2: You can do things like, hey, if it has sensitive 998 00:48:21,530 --> 00:48:24,589 S2: content and it also has these permissions like revoke them 999 00:48:24,590 --> 00:48:26,660 S2: in this way and notify the owner so you can 1000 00:48:26,660 --> 00:48:30,620 S2: build workflows and kind of get the end users involved. 1001 00:48:30,620 --> 00:48:32,840 S2: Because that's the only way to have like a tenable 1002 00:48:32,840 --> 00:48:35,360 S2: solution there. Otherwise you're just going to have a security 1003 00:48:35,360 --> 00:48:37,700 S2: team that is trying to like, go through a giant 1004 00:48:37,700 --> 00:48:40,130 S2: backlog of these and will never prioritize it. And it's 1005 00:48:40,130 --> 00:48:42,290 S2: just one of those, like, active risks just sitting there. 1006 00:48:42,560 --> 00:48:44,780 S3: Um, yeah, absolutely. 1007 00:48:44,780 --> 00:48:48,920 S1: Any new research or new new exciting stuff coming out soon? 1008 00:48:49,400 --> 00:48:52,160 S2: Yeah. The thing that I'm very excited about is kind 1009 00:48:52,160 --> 00:48:53,900 S2: of what I was alluding to. So maybe I'll describe 1010 00:48:53,900 --> 00:48:56,180 S2: it in a little bit more detail. But basically we 1011 00:48:56,180 --> 00:48:59,450 S2: think that, um, there is an opportunity to do more 1012 00:48:59,450 --> 00:49:02,270 S2: than just email. Email is just one part of this 1013 00:49:02,270 --> 00:49:06,650 S2: suite of products, obviously, uh, which includes like files and 1014 00:49:06,650 --> 00:49:09,799 S2: chat and all the posture and settings that come with 1015 00:49:09,800 --> 00:49:13,280 S2: the productivity suites. And we kind of want to broaden 1016 00:49:13,280 --> 00:49:16,370 S2: and cover more and more of that. Uh, and so 1017 00:49:16,370 --> 00:49:20,210 S2: the really new thing for us is broadening beyond email. 1018 00:49:20,210 --> 00:49:22,760 S2: We did that with Google Drive. Um, we plan to 1019 00:49:22,760 --> 00:49:26,210 S2: do something similar on the Microsoft side in the future. Um, 1020 00:49:26,210 --> 00:49:29,569 S2: and then, uh, where it gets really interesting though, is 1021 00:49:29,570 --> 00:49:32,600 S2: you now unlock kind of new types of correlations. You 1022 00:49:32,600 --> 00:49:37,460 S2: can do if you have access to content, uh, settings 1023 00:49:37,460 --> 00:49:40,850 S2: and logs, you can really correlate these things together. So 1024 00:49:40,850 --> 00:49:43,969 S2: like let me give you a simple example. Um, let's 1025 00:49:43,969 --> 00:49:48,109 S2: say that I have a Google group that allows external 1026 00:49:48,110 --> 00:49:50,509 S2: people to post to it. That is a very common 1027 00:49:50,510 --> 00:49:53,359 S2: thing that exists in basically every company because you have 1028 00:49:53,360 --> 00:49:57,050 S2: like support at or you have like, you know, help 1029 00:49:57,050 --> 00:49:59,719 S2: at or whatever. But now let's say that that Google 1030 00:49:59,719 --> 00:50:03,350 S2: Group also has weak moderation settings, spam moderation settings, which, 1031 00:50:03,350 --> 00:50:05,660 S2: by the way, is their default for Google groups. Don't 1032 00:50:05,660 --> 00:50:08,089 S2: ask me why, but that's the default. Okay, so that's 1033 00:50:08,090 --> 00:50:10,850 S2: a little worse because now I can like, use this 1034 00:50:10,850 --> 00:50:15,469 S2: Google group to send you, uh, malicious emails that may 1035 00:50:15,469 --> 00:50:18,680 S2: bypass your like, existing controls because the spam moderation settings 1036 00:50:18,680 --> 00:50:21,200 S2: are lower. So that's those two things are a little 1037 00:50:21,200 --> 00:50:23,390 S2: bit worse. And now let's say that that same Google 1038 00:50:23,390 --> 00:50:25,790 S2: group is actually the one that like your CEO is 1039 00:50:25,790 --> 00:50:28,190 S2: a member of, or you're like, finance guy is a 1040 00:50:28,190 --> 00:50:31,850 S2: member of. Now it's like even worse because it's like, okay, well, 1041 00:50:31,850 --> 00:50:34,880 S2: if I want to like do like a high profile attack, 1042 00:50:34,880 --> 00:50:38,240 S2: I have now a path into a VIP. So in 1043 00:50:38,239 --> 00:50:41,360 S2: Google Workspace today to get each of these three signals 1044 00:50:41,360 --> 00:50:44,900 S2: are different API calls. Um, and you have to kind 1045 00:50:44,900 --> 00:50:47,810 S2: of correlate them together and write your own detection in 1046 00:50:47,810 --> 00:50:49,550 S2: the future. What we want to do with material is 1047 00:50:49,550 --> 00:50:52,550 S2: like basically have our threat research team come up with 1048 00:50:52,550 --> 00:50:55,820 S2: a lot of these common scenarios that we see express 1049 00:50:55,820 --> 00:50:58,550 S2: them as detections that just come out of the box 1050 00:50:58,550 --> 00:51:02,300 S2: and help you really attack these and, and leverage the 1051 00:51:02,300 --> 00:51:04,970 S2: fact that we have the content access, but we also 1052 00:51:04,969 --> 00:51:09,080 S2: have the, uh, settings and log data access, because when 1053 00:51:09,080 --> 00:51:11,450 S2: you can put those three things together, that's where like 1054 00:51:11,450 --> 00:51:14,419 S2: you can build some really high signal detections. One big 1055 00:51:14,420 --> 00:51:16,759 S2: problem with Cspm, since we were talking about them in 1056 00:51:16,760 --> 00:51:21,200 S2: the past, is a long time, uh, ago, like people 1057 00:51:21,200 --> 00:51:22,910 S2: kind of almost gave up on them because they used 1058 00:51:22,910 --> 00:51:26,000 S2: to have so much noise. Right? It's like it was untenable. 1059 00:51:26,000 --> 00:51:28,550 S2: It's like you go in, it's like million issues detected 1060 00:51:28,550 --> 00:51:30,230 S2: and you're like, great, I'm never going to do anything 1061 00:51:30,230 --> 00:51:32,960 S2: about this. What I think the modern Cspm did a 1062 00:51:32,960 --> 00:51:35,300 S2: really good job with, you know, like, I'm like, thinking of, like, 1063 00:51:35,300 --> 00:51:38,350 S2: The Wiz or Orca's of the world. Is. He said, well, 1064 00:51:38,469 --> 00:51:40,570 S2: actually we are going to have a million issues, but 1065 00:51:40,570 --> 00:51:43,870 S2: out of those million, there's probably 40 that you really, really, 1066 00:51:43,870 --> 00:51:47,410 S2: really need to address. And those are like these, uh, 1067 00:51:47,410 --> 00:51:49,750 S2: those are those like attack paths, the ones that like, 1068 00:51:49,750 --> 00:51:53,259 S2: correlate 3 or 4 different things together, and they raise 1069 00:51:53,260 --> 00:51:56,200 S2: the severity of that detection. Um, I think it's a 1070 00:51:56,200 --> 00:51:58,060 S2: really smart model. And I think it's kind of what 1071 00:51:58,060 --> 00:52:01,180 S2: we want to do on the, on the, uh, workspace side. 1072 00:52:02,060 --> 00:52:05,330 S1: Yeah, I love that. I feel like everything is going 1073 00:52:05,480 --> 00:52:10,160 S1: eventually towards this, uh, inevitable place, which is gather all 1074 00:52:10,160 --> 00:52:12,500 S1: the context and point intelligence at it. 1075 00:52:12,500 --> 00:52:14,180 S3: Yeah. Right. 1076 00:52:14,180 --> 00:52:17,750 S1: And so I love the fact that you're bringing together 1077 00:52:17,750 --> 00:52:21,050 S1: all that different context, the state of the configuration of 1078 00:52:21,050 --> 00:52:21,980 S1: the platform. 1079 00:52:21,980 --> 00:52:22,460 S3: Yes. 1080 00:52:22,460 --> 00:52:26,779 S1: The things you're concerned about, actual logs plus threat intelligence. 1081 00:52:26,780 --> 00:52:28,310 S1: Now you've got a real picture. 1082 00:52:28,310 --> 00:52:31,850 S2: Exactly. And this was kind of the promise of XDR 1083 00:52:31,850 --> 00:52:35,180 S2: or whatever. But I think that the, the challenge is 1084 00:52:35,180 --> 00:52:36,860 S2: that like if you try to do it for all 1085 00:52:36,860 --> 00:52:40,759 S2: security across all platforms, it really does feel like a 1086 00:52:40,760 --> 00:52:44,450 S2: gnarly kind of untenable problem. So where I think people 1087 00:52:44,450 --> 00:52:46,820 S2: have done a good job is where they've kind of 1088 00:52:46,820 --> 00:52:50,120 S2: carved a boundary so that they can focus and kind 1089 00:52:50,120 --> 00:52:52,760 S2: of go deep. Uh, the thing that I think hasn't 1090 00:52:52,760 --> 00:52:54,950 S2: worked is when you kind of create like a very 1091 00:52:54,950 --> 00:52:57,020 S2: horizontal products that are a mile wide and an inch 1092 00:52:57,020 --> 00:53:00,620 S2: deep because they just can't really get to the to 1093 00:53:00,620 --> 00:53:02,630 S2: the true insights, and they end up just spamming you 1094 00:53:02,630 --> 00:53:04,790 S2: with something that's like, yes, it's a risk, but is 1095 00:53:04,790 --> 00:53:06,950 S2: it really your top priority? And you just, you know, 1096 00:53:06,950 --> 00:53:09,980 S2: I've talked to some CISOs who talk about those products, uh, 1097 00:53:09,980 --> 00:53:12,350 S2: as like kind of report card products where it's like, 1098 00:53:12,350 --> 00:53:14,420 S2: let's just make you feel bad, you know, and it's like, yeah, yeah, 1099 00:53:14,690 --> 00:53:17,960 S2: like much to do. I think what, what we are 1100 00:53:17,960 --> 00:53:20,569 S2: interested in is trying to find the balance between, yeah, 1101 00:53:20,570 --> 00:53:23,510 S2: broadened beyond email, but kind of still focus really on 1102 00:53:23,510 --> 00:53:26,150 S2: this productivity suite so that you can still go deep 1103 00:53:26,150 --> 00:53:29,270 S2: and not get overextended. Um, and it's a it's a 1104 00:53:29,270 --> 00:53:32,299 S2: tricky balance, but I think like that kind of going 1105 00:53:32,300 --> 00:53:36,290 S2: into the full XDR thing is probably a little too broad. Yeah. 1106 00:53:37,040 --> 00:53:37,820 S3: Well, cool. 1107 00:53:37,820 --> 00:53:40,460 S1: Where can people learn more about material? 1108 00:53:40,760 --> 00:53:44,330 S2: Yeah. Head over to material Dot security. We try to, 1109 00:53:44,360 --> 00:53:46,910 S2: you know, explain what we do in really simple terms. 1110 00:53:46,910 --> 00:53:49,730 S2: There's like videos and stuff that show how the product works. 1111 00:53:49,730 --> 00:53:52,820 S2: So that's the best way to learn about material and 1112 00:53:53,000 --> 00:53:54,680 S2: reach out if you'd like to learn more. 1113 00:53:55,070 --> 00:53:57,350 S1: Awesome. Well, I love the approach. I love the way 1114 00:53:57,350 --> 00:53:59,990 S1: you're thinking about this. It's exactly the way that I 1115 00:53:59,989 --> 00:54:03,020 S1: would approach this. Awesome. So I really, really great to 1116 00:54:03,020 --> 00:54:05,870 S1: hear it. And, uh, I enjoyed the conversation. 1117 00:54:05,870 --> 00:54:07,610 S2: Yeah. Me too. Thank you so much. 1118 00:54:07,760 --> 00:54:09,770 S1: All right. Take care. See you.