WEBVTT - A Conversation with with Abhishek Agrawal from Material Security 0:00:00.200 --> 0:00:03.050 All right, Abhishek, welcome to unsupervised Learning. 0:00:03.050 --> 0:00:05.540 Yeah, thanks for having me. Excited to be here. 0:00:05.870 --> 0:00:11.090 Yeah. Awesome. So, uh, you are Abhishek Agarwal and co-founder 0:00:11.090 --> 0:00:14.360 and CEO at Material Security. Is that correct? 0:00:14.360 --> 0:00:15.230 That's right. 0:00:15.890 --> 0:00:20.180 Awesome. Well, tell me about your background and, uh, the 0:00:20.180 --> 0:00:22.700 product and just, uh, get us started here. 0:00:22.700 --> 0:00:25.940 Yeah, sure. Happy to. Um, yeah. So I'm Abhishek, um, 0:00:25.940 --> 0:00:28.880 one of the co-founders of material. Um, before this company, 0:00:28.880 --> 0:00:31.490 I was an early PM at Dropbox, uh, where I 0:00:31.490 --> 0:00:35.270 spent time on the data infrastructure side and the cert side, um, 0:00:35.270 --> 0:00:38.570 when the company was fairly early. So around 250 people. 0:00:38.570 --> 0:00:40.669 I was, uh, an early PM there, like I said. 0:00:40.670 --> 0:00:43.879 And then before that, uh, got my start on the 0:00:43.880 --> 0:00:47.030 Microsoft at Microsoft Research on the engineering side. So my 0:00:47.030 --> 0:00:49.310 background before this company was actually more in like the 0:00:49.310 --> 0:00:53.000 productivity and sort of large data sets, side and data 0:00:53.000 --> 0:00:56.959 data infrastructure. Um, with this company obviously kind of first 0:00:56.960 --> 0:00:59.990 foray into security, although at Dropbox, the security team would 0:00:59.990 --> 0:01:02.090 use our data infrastructure quite a bit. So I had 0:01:02.090 --> 0:01:05.660 some interaction with them. Um, and yeah, material. You know, 0:01:05.660 --> 0:01:08.059 we started a while ago, we're kind of in the 0:01:08.060 --> 0:01:11.810 email security space, uh, where we're now broadening a little 0:01:11.810 --> 0:01:16.160 bit more to the productivity suite more broadly, more generally. But, uh, 0:01:16.160 --> 0:01:18.709 the kind of key insight that led to the company, 0:01:18.709 --> 0:01:22.190 which actually got started after the 2016 election cycle, where 0:01:22.190 --> 0:01:24.830 there were a couple high profile email attacks. Uh, the 0:01:24.830 --> 0:01:28.400 key insight was everybody's really obsessed with trying to stop 0:01:28.400 --> 0:01:32.030 someone from getting into email. But but we had this 0:01:32.030 --> 0:01:33.950 idea which was like, if someone does get into an 0:01:33.950 --> 0:01:37.040 email account, there's all these downstream things that they can do. 0:01:37.069 --> 0:01:39.830 What if we could contain that blast radius? Uh, so 0:01:39.830 --> 0:01:41.720 that was the original insight that led to the company 0:01:41.720 --> 0:01:43.910 and a lot of what we still do today. And 0:01:43.910 --> 0:01:45.710 then we also do a kind of more of the 0:01:45.709 --> 0:01:48.680 traditional email security of trying to, you know, stop attacks 0:01:48.680 --> 0:01:53.060 that that are still bypassing, um, uh, sort of gateways and, 0:01:53.060 --> 0:01:53.930 and the like. 0:01:55.420 --> 0:01:59.470 Yeah. Interesting. The the front page says, uh, secure email 0:01:59.470 --> 0:02:02.920 from every angle, which is pretty interesting. I thought that 0:02:02.920 --> 0:02:05.200 was that was a good tagline. 0:02:05.200 --> 0:02:05.770 Thank you. 0:02:06.400 --> 0:02:09.609 Yeah. So I looked at your background as well. So 0:02:09.730 --> 0:02:12.520 I'm surprised we haven't run into each other more. Uh, 0:02:12.520 --> 0:02:14.649 you're also in the Bay area as well? 0:02:14.650 --> 0:02:17.620 I am, yeah. So I moved out here for Dropbox 0:02:17.620 --> 0:02:20.020 and then, uh, has been kind of bouncing around the 0:02:20.020 --> 0:02:23.950 Bay area, uh, for the last decade now, so. Yeah. 0:02:24.430 --> 0:02:27.100 Nice. Yeah. We should get coffee at some point. Let's 0:02:27.100 --> 0:02:29.440 do it for sure. I'm just in Newark, so. 0:02:29.440 --> 0:02:31.930 Oh. No way. Okay, I'm really close to you. I'm 0:02:31.930 --> 0:02:34.930 in Walnut Creek, so, uh. Oh. Nice. Not not not 0:02:34.930 --> 0:02:37.059 just in the Bay area, but nearby. Yeah. 0:02:37.600 --> 0:02:43.239 Awesome. Yeah. So, uh, why do product managers make such 0:02:43.240 --> 0:02:48.160 good CEOs and co-founders? Because I know you started in engineering, 0:02:48.430 --> 0:02:51.490 but you did a decent amount of time as a 0:02:51.490 --> 0:02:55.239 product manager. Yeah. What do you think they're so good at? Like, 0:02:55.240 --> 0:02:58.000 starting and building and pushing products. 0:02:59.320 --> 0:03:02.930 Yeah. It's a great question. Um. First of all. I mean, 0:03:02.930 --> 0:03:05.269 I think that like, you know, I'm a big believer 0:03:05.270 --> 0:03:07.760 there's like multiple paths to God. So like, you know, 0:03:08.090 --> 0:03:10.130 there is no kind of one template, like a lot 0:03:10.130 --> 0:03:13.820 of different profiles, uh, folks, uh, can start companies and 0:03:13.820 --> 0:03:16.760 make great, uh, founders or CEOs. I think the reason 0:03:16.760 --> 0:03:21.350 you see product managers kind of maybe overrepresented there is 0:03:21.350 --> 0:03:25.190 that by definition, product management is kind of a, um, 0:03:25.190 --> 0:03:30.020 generalist function. You know, like you're at this intersection of engineering, uh, 0:03:30.020 --> 0:03:33.380 design business. Uh, that's kind of your job as a 0:03:33.380 --> 0:03:35.990 product manager. And so if you take that kind of 0:03:35.990 --> 0:03:38.030 elevate that, like, that's kind of what you're doing as 0:03:38.030 --> 0:03:40.460 a founder, you know, you're like thinking about what to build. 0:03:40.460 --> 0:03:41.930 You're thinking about how you're going to sell it, take 0:03:41.930 --> 0:03:45.050 it to market. You're thinking about, um, how it's going 0:03:45.050 --> 0:03:47.360 to work, but also how you're going to message it. 0:03:47.360 --> 0:03:50.360 And so a lot of these kind of activities are 0:03:50.360 --> 0:03:54.320 what PMS are doing inside companies for their products. You're 0:03:54.320 --> 0:03:56.090 kind of doing that for your whole company as a 0:03:56.090 --> 0:03:59.330 founder when you're when you're, uh, CEO or founder. So 0:03:59.330 --> 0:04:02.060 I think that's maybe why PMS are attracted to it. Um, 0:04:02.060 --> 0:04:05.060 in my case personally, you know, I just kind of 0:04:05.060 --> 0:04:07.190 when I was an engineer, I would really be kind 0:04:07.190 --> 0:04:09.530 of missing having an input into what the product should 0:04:09.530 --> 0:04:11.690 be and how it should work and who the customer 0:04:11.690 --> 0:04:13.730 should be. Then when I became a PM, I was 0:04:13.730 --> 0:04:16.370 really missing, like writing code. So I was kind of like, 0:04:16.370 --> 0:04:19.070 never really happy in one role or the other. Uh, 0:04:19.070 --> 0:04:22.130 and that also makes for a great trait for founders 0:04:22.130 --> 0:04:24.350 that are just kind of not satisfied with being in 0:04:24.350 --> 0:04:27.619 any one specific role. They just kind of want to like, uh, 0:04:27.620 --> 0:04:29.719 be a little bit of jack of all trades. Uh, 0:04:29.720 --> 0:04:32.750 so yeah, I think that's why. But I'm not sure. 0:04:33.110 --> 0:04:36.470 Yeah, I think that sounds right. I mean, I actually 0:04:36.470 --> 0:04:39.860 think with all this AI stuff happening, a lot of 0:04:39.860 --> 0:04:42.169 product managers are going to be like, you know what, 0:04:42.170 --> 0:04:43.940 screw this. And they're just going to break off and 0:04:43.940 --> 0:04:46.729 like build their own companies. Yeah. And have a little 0:04:46.730 --> 0:04:48.830 bit of dev support. But even be able to do 0:04:48.830 --> 0:04:53.390 like MVP's themselves if they're technical. Yeah. And then be 0:04:53.390 --> 0:04:55.460 able to do a lot of the marketing themselves, a 0:04:55.460 --> 0:04:58.469 lot of the user stories and like. It's like a 0:04:58.470 --> 0:05:01.320 one person company, essentially. 0:05:01.770 --> 0:05:03.840 Yeah, I think that's actually one of the most exciting 0:05:03.839 --> 0:05:06.630 things about all of this stuff. And I know several 0:05:06.630 --> 0:05:09.960 folks have kind of written about this, but the whole like, 0:05:09.960 --> 0:05:12.719 when will we see the first, like, you know, billion 0:05:12.720 --> 0:05:15.390 dollar company that's just got one employee? That's a very, 0:05:15.390 --> 0:05:19.380 very intriguing idea. And I think that is you're totally right. Um, 0:05:19.380 --> 0:05:21.989 that and again, I don't think it has to be 0:05:21.990 --> 0:05:25.260 just product managers like anyone that can kind of like 0:05:25.410 --> 0:05:28.469 complement whatever skill set they have with, with a lot 0:05:28.470 --> 0:05:30.630 of that other stuff is going to be in a 0:05:30.630 --> 0:05:34.349 position to really get pretty far with, without, maybe not 0:05:34.380 --> 0:05:37.650 with literally just one person, but with a pretty small team. Um. 0:05:38.130 --> 0:05:40.260 Yeah. And I think it goes back to what you said, 0:05:40.260 --> 0:05:44.250 which is, uh, being able to link these different things. 0:05:44.400 --> 0:05:48.240 It's like it's almost like the opposite of Google. And 0:05:48.240 --> 0:05:50.039 I know some people at Google, so I don't want 0:05:50.040 --> 0:05:53.430 to be too mean here. But like Google in general 0:05:53.430 --> 0:05:58.820 is almost like engineering focused. Where as opposed to product 0:05:58.820 --> 0:06:02.750 or problem focused. Hmm. Yeah. And so they they have 0:06:02.750 --> 0:06:04.970 all this tech that they build, they come out with 0:06:04.970 --> 0:06:08.089 the attention is all you need paper. Yeah, yeah. And 0:06:08.089 --> 0:06:11.210 people just throw random things at the wall. And there's 0:06:11.210 --> 0:06:15.680 not a product management led thing of like, problem solution, 0:06:15.680 --> 0:06:19.430 really good marketing that makes it clear and then make 0:06:19.430 --> 0:06:22.670 and then also product management making it easy to use. 0:06:22.670 --> 0:06:23.450 Totally. 0:06:23.450 --> 0:06:26.990 It's like so hard to use like Google stuff like, um, 0:06:26.990 --> 0:06:31.279 Google Eye Studio compared to Claude or one of these 0:06:31.279 --> 0:06:33.980 other products. It's like impenetrable. 0:06:33.980 --> 0:06:37.580 Yeah. Um, no, I agree, I, you know, my favorite 0:06:37.580 --> 0:06:39.890 kind of recent example of this is that they, they 0:06:39.890 --> 0:06:44.360 launched a thing recently for Google Drive in the workspace setting, 0:06:44.360 --> 0:06:48.080 where they will use an LLM to auto classify sensitive 0:06:48.080 --> 0:06:51.320 content in your drive, which is pretty cool. Uh, to 0:06:51.320 --> 0:06:54.890 like auto label it. Um, but but the way you 0:06:54.890 --> 0:06:56.420 have to set it up is like, you literally have 0:06:56.420 --> 0:06:59.360 to go as a workspace admin and like basically train 0:06:59.360 --> 0:07:02.720 a model yourself. And I was like, oh my God. Like, 0:07:02.720 --> 0:07:05.570 you know, like most of these security folks or IT 0:07:05.570 --> 0:07:07.580 admins be talked to like they're they're not going to 0:07:07.580 --> 0:07:10.160 have time to go do that and like back test 0:07:10.160 --> 0:07:12.830 it and make sure the precision and stuff is good. Like, 0:07:12.830 --> 0:07:15.260 you know, you would expect that to be more kind 0:07:15.260 --> 0:07:19.640 of one, one, one click. But yeah, I think um, 0:07:19.760 --> 0:07:21.530 I think the other thing is that we talk a 0:07:21.530 --> 0:07:25.790 lot about product management in the Valley. But for me personally, 0:07:25.790 --> 0:07:29.540 and I've talked about this before, uh, on another podcast, like, 0:07:29.540 --> 0:07:33.230 especially as a founder early on, I think learning about 0:07:33.230 --> 0:07:37.220 product marketing is very, very important because, yes, because half 0:07:37.220 --> 0:07:39.080 of what you were just saying is, um, it is 0:07:39.080 --> 0:07:41.780 part of a product managers kind of responsibility, but it's 0:07:41.900 --> 0:07:45.230 honestly it's product marketing. It's like, well, like, what is 0:07:45.230 --> 0:07:47.450 this going to thing going to be like, what features 0:07:47.450 --> 0:07:49.640 is it going to have? Uh, how are they going 0:07:49.640 --> 0:07:51.920 to compare to alternatives like how are we even going 0:07:51.920 --> 0:07:54.290 to describe them? Like, you know, are they going to 0:07:54.290 --> 0:07:57.080 be bundled this way or that way? These are critical 0:07:57.080 --> 0:07:59.720 decisions you're making at the beginning of a company, or 0:07:59.720 --> 0:08:03.680 even if inside a inside a large org that have 0:08:03.680 --> 0:08:06.530 such a big impact. And I think people often are 0:08:06.530 --> 0:08:08.990 thinking about them as an afterthought. I know I certainly 0:08:08.990 --> 0:08:11.090 was guilty of this, like when I was dropped at 0:08:11.090 --> 0:08:13.940 a Dropbox. Like product marketing would often be like, you've 0:08:13.940 --> 0:08:15.710 built the whole product, and now someone needs to write 0:08:15.710 --> 0:08:18.620 the launch blog post, and that's where product marketing comes in. 0:08:18.620 --> 0:08:21.110 But honestly, like, I think the right way to do 0:08:21.110 --> 0:08:24.800 it is invest in product marketing way earlier. Like make 0:08:24.800 --> 0:08:28.340 your website landing page first and figure out force yourself 0:08:28.340 --> 0:08:30.410 to understand how you're going to describe it, you know, 0:08:30.410 --> 0:08:32.059 before writing a line of code. 0:08:32.679 --> 0:08:36.130 I think you're exactly right. I think this is the 0:08:36.130 --> 0:08:41.790 whole thing is like. Have the story, the problem be 0:08:41.790 --> 0:08:44.670 like in the very front. The problem is everything. Yeah. 0:08:44.670 --> 0:08:46.980 Then you have the story and the wrapper around it. 0:08:46.980 --> 0:08:49.620 Then you have your landing page, and then it's kind 0:08:49.620 --> 0:08:52.080 of like the Amazon flow, which I used a lot 0:08:52.080 --> 0:08:56.790 at Apple as well. You you ship the PR, you 0:08:56.790 --> 0:08:59.309 release the PR and it's like, here's what the website 0:08:59.309 --> 0:09:02.190 looks like. Here's what the marketing looks like. How excited 0:09:02.190 --> 0:09:04.380 are we about this? Yes. And if you pass this 0:09:04.380 --> 0:09:09.030 around the table for this senior meeting and people aren't excited. Yeah. 0:09:09.030 --> 0:09:10.020 What are you doing? 0:09:10.020 --> 0:09:11.550 What is it all for? Yeah. What's the point? 0:09:11.550 --> 0:09:13.170 Yeah, yeah, yeah. And if you are no. 0:09:13.170 --> 0:09:17.370 Worse feeling than being in like, a company where you've 0:09:17.370 --> 0:09:20.729 built the product, you've invested all this time engineering, and 0:09:20.730 --> 0:09:23.490 then you're realizing that there's no worse feeling than that 0:09:23.490 --> 0:09:25.830 because you're just like, oh God, what have we just do, 0:09:25.860 --> 0:09:27.930 you know? So yeah, the more you can do it 0:09:27.929 --> 0:09:29.069 up front, the better. 0:09:29.070 --> 0:09:34.220 Yeah, definitely. So. So what do you, uh. There yourself 0:09:34.220 --> 0:09:37.850 or the company in general believe about email security that 0:09:37.850 --> 0:09:38.960 other people don't? 0:09:39.470 --> 0:09:42.920 Yeah. Um, this is something that, you know, we have 0:09:42.920 --> 0:09:46.250 been kind of saying from the hilltops for a while, but. 0:09:46.950 --> 0:09:51.540 The fundamental idea that led to this company was email 0:09:51.540 --> 0:09:54.690 is seen in the security context as a really, really 0:09:54.690 --> 0:09:57.780 good way to deliver an attack to you, right? Like, 0:09:57.780 --> 0:10:01.559 you know, we are all familiar with sort of malware and, uh, 0:10:01.559 --> 0:10:05.490 phishing and like BCC and and that's true. Like it 0:10:05.490 --> 0:10:08.040 is an open protocol. Anybody on the internet can send 0:10:08.040 --> 0:10:10.290 anybody else an email. That's part of what makes it great. 0:10:10.290 --> 0:10:13.470 But in a security context, that's what makes it really terrible. 0:10:13.470 --> 0:10:16.530 And there's been just years and years and years of 0:10:16.530 --> 0:10:19.770 focus on email as a way to deliver an attack. 0:10:19.800 --> 0:10:22.860 What's happened, though, at the same time, especially over the 0:10:22.860 --> 0:10:27.030 last decade, is we all got like cloud email. And 0:10:27.030 --> 0:10:29.910 that meant that we basically got infinite storage and we 0:10:29.910 --> 0:10:33.390 started hoarding all of our email. And that means that 0:10:33.390 --> 0:10:37.109 it becomes this, like representation of your entire life. Uh, 0:10:37.110 --> 0:10:40.680 on the personal front, it's like literally like everything in 0:10:40.679 --> 0:10:43.200 your life, like whether it's like your finances, taxes, your 0:10:43.200 --> 0:10:46.230 kids stuff, your house mortgage, it ends up in your email, 0:10:46.230 --> 0:10:48.750 in the corporate setting, obviously, it's like all of the 0:10:48.750 --> 0:10:52.709 company's IP, like the system of record. Right. And so 0:10:52.710 --> 0:10:54.690 what that does is it makes it a really big 0:10:54.690 --> 0:10:57.420 target as well. So it's not just the delivery method 0:10:57.420 --> 0:11:00.240 of a bad attack. It's actually the thing that someone 0:11:00.240 --> 0:11:02.730 wants to steal now because it has all this content 0:11:02.730 --> 0:11:05.460 inside it. Interesting. The thing that we believe about email 0:11:05.460 --> 0:11:08.190 security that no one else does is that blocking phishing 0:11:08.190 --> 0:11:10.920 and stuff is important. Uh, it really is, because it's 0:11:10.920 --> 0:11:13.980 still a really great entry point. But you also have 0:11:13.980 --> 0:11:16.770 to think about email as a content repository that needs 0:11:16.770 --> 0:11:19.920 to be secured, the same way that security has been 0:11:19.920 --> 0:11:23.880 securing other content repositories for a long time. Uh, so 0:11:23.880 --> 0:11:26.340 a lot of what we do at material tries to 0:11:26.340 --> 0:11:29.760 block inbound emails that are bad, but it also tries 0:11:29.760 --> 0:11:33.300 to go, you know, have a plan. If someone does 0:11:33.300 --> 0:11:35.970 get into a mail account and, you know, today, like 0:11:35.970 --> 0:11:37.830 they would be able to steal all the content inside 0:11:37.830 --> 0:11:39.540 it or they would be able to go like reset 0:11:39.540 --> 0:11:42.690 my Dropbox password and take over Dropbox. We try to 0:11:42.690 --> 0:11:45.390 mitigate those things and limit the blast radius of a 0:11:45.390 --> 0:11:47.700 bad of a, of a of a breach. Basically, if 0:11:47.700 --> 0:11:50.070 someone does get into an account, how can we stop 0:11:50.070 --> 0:11:52.020 them from not doing as much harm as they would 0:11:52.020 --> 0:11:55.590 normally have done? That's a thing where complementing traditional email 0:11:55.590 --> 0:11:56.520 security with. 0:11:56.970 --> 0:12:00.480 No, that's interesting. And what are the detection mechanisms for that? 0:12:00.480 --> 0:12:05.760 So let's say someone has a credential. Yeah. Um like what? 0:12:06.000 --> 0:12:08.579 How are you detecting if you move around, you do 0:12:08.580 --> 0:12:10.320 something dangerous inside the account. 0:12:10.320 --> 0:12:12.930 Yeah. So the first thing I'd say is, like, it 0:12:12.929 --> 0:12:15.600 actually doesn't have to be about detection at all. So 0:12:15.600 --> 0:12:17.850 let me give you an example. So let's say like 0:12:17.850 --> 0:12:20.250 we take a, the uh, the analogy of a car. 0:12:20.250 --> 0:12:23.699 So a seatbelt is something you just put on when 0:12:23.700 --> 0:12:26.520 you drive a car. It doesn't like detect the accident 0:12:26.520 --> 0:12:29.190 and like go into like motion right before the accident 0:12:29.190 --> 0:12:30.990 is going to happen. Like it's just there. It does 0:12:30.990 --> 0:12:35.370 its job. Yeah. Um, so similarly, you know, we're not 0:12:35.370 --> 0:12:38.070 necessarily detecting the presence of an attacker and then trying 0:12:38.070 --> 0:12:40.620 to respond. We're just saying there are certain controls you 0:12:40.620 --> 0:12:43.859 should just have all the time. So for example, um, 0:12:43.860 --> 0:12:47.280 if you, uh, one of our products is called, uh, 0:12:47.280 --> 0:12:49.410 data protection for email. And what it does is it 0:12:49.410 --> 0:12:53.579 goes through your archive and via APIs, it looks for 0:12:53.580 --> 0:12:56.040 anything that it thinks is really sensitive, like really juicy 0:12:56.040 --> 0:12:59.550 stuff that's in your archives. And if it's like older 0:12:59.550 --> 0:13:01.800 than some specified period of time, let's say a year 0:13:01.800 --> 0:13:05.130 or six months, it it can actually redact it inside 0:13:05.130 --> 0:13:09.060 your mailbox and make you do a side channel challenge, 0:13:09.059 --> 0:13:11.400 like an MFA or a, you know, touch ID or 0:13:11.400 --> 0:13:14.130 an octopus or whatever before you can get it back 0:13:14.130 --> 0:13:17.700 in your mailbox. And, um, that's like a simple control 0:13:17.700 --> 0:13:20.640 that is not it's not going into place when we 0:13:20.640 --> 0:13:24.600 detect an attacker. It's just there all the time. Because, 0:13:24.600 --> 0:13:27.390 you know, in the same way that, uh, for other 0:13:27.390 --> 0:13:29.250 content repos, you wouldn't want it to be the case 0:13:29.250 --> 0:13:31.740 that if I get in once, I just get everything. 0:13:31.740 --> 0:13:33.780 You would want to have additional checks. We're just trying 0:13:33.780 --> 0:13:36.209 to do that for email as well. Now, what's cool 0:13:36.210 --> 0:13:40.110 about that, though, is that it opens up detection capabilities, 0:13:40.110 --> 0:13:42.750 because now let's say someone was in my account and 0:13:42.750 --> 0:13:45.120 they're going to try to like retrieve these messages that 0:13:45.120 --> 0:13:48.179 have been redacted. Well, yeah. If they like try and 0:13:48.179 --> 0:13:51.120 they keep failing requests. Now it acts as a canary 0:13:51.120 --> 0:13:53.250 and it tells us, okay, there might be someone in 0:13:53.250 --> 0:13:57.030 this mailbox, um, which is actually, you know, funny story. Like, 0:13:57.030 --> 0:14:00.240 recently there was this big attack, uh, by the Chinese 0:14:00.240 --> 0:14:03.329 called storm. Uh, uh, it was a storm eight breach. 0:14:03.330 --> 0:14:06.870 It's a group that attacked the Department of Justice and 0:14:06.870 --> 0:14:10.349 a State Department and a couple other, uh, federal agencies, 0:14:10.350 --> 0:14:13.950 and they basically were after email correspondence. That's why they 0:14:13.950 --> 0:14:17.219 did it. They went after the content of these mailboxes. 0:14:17.309 --> 0:14:20.790 And one of the agencies that actually discovered this attack 0:14:20.820 --> 0:14:23.130 the way they did that is because they were looking 0:14:23.130 --> 0:14:26.490 at a log of every time an email message inside 0:14:26.490 --> 0:14:30.120 a mailbox is accessed. It's a very verbose log. Um, 0:14:30.120 --> 0:14:33.120 most people don't use it or don't, uh, operationalize it, 0:14:33.120 --> 0:14:36.060 but they were. And it's how they figured out, oh, man. 0:14:36.060 --> 0:14:38.460 Like someone is reading all these emails from like, three 0:14:38.460 --> 0:14:40.800 years ago, and they're doing it at a very high 0:14:40.800 --> 0:14:43.470 volume versus what the normal usage of the mailbox is. 0:14:43.470 --> 0:14:46.170 So you do want canaries that can tell you about. 0:14:46.370 --> 0:14:49.490 The attacker. But more importantly, you want to just like 0:14:49.490 --> 0:14:51.200 limit what the attacker can do in the first place 0:14:51.200 --> 0:14:53.090 because it's not just all about detection. 0:14:53.300 --> 0:14:56.000 Yeah, I love that because that that kind of takes 0:14:56.000 --> 0:15:00.020 the realm away from like an email security. Yeah. Vibe, 0:15:00.020 --> 0:15:02.600 which is very, I don't know, 20 years ago or 0:15:02.600 --> 0:15:05.510 whatever and moves it into more of like a data 0:15:05.510 --> 0:15:07.550 security or like an app security. 0:15:07.550 --> 0:15:10.640 That's right. That's exactly right. And, and, um, this is 0:15:10.640 --> 0:15:14.030 one of those situations where like, like the terminology is 0:15:14.030 --> 0:15:17.720 actually hurting us as an industry because it's like, okay, 0:15:17.720 --> 0:15:20.510 so email security means what you just said, right? For 0:15:20.510 --> 0:15:22.700 20 years it's blocked bad emails. 0:15:22.700 --> 0:15:25.670 Yeah. SMTP related settings, whatever. Yeah. 0:15:25.670 --> 0:15:28.310 Or like I'm going to send you like the, you know, like, uh, 0:15:28.310 --> 0:15:32.300 sasser werm over email like 20 years ago, but like, uh, 0:15:32.300 --> 0:15:37.760 or more than 20 years ago. Man, it's been a while. Um, yeah. But, uh, 0:15:37.760 --> 0:15:40.370 but I think then what do you call the thing 0:15:40.370 --> 0:15:43.310 that tries to go protect the sensitive content in your email? 0:15:43.310 --> 0:15:46.580 I mean, technically, it's security for your email messages. So 0:15:46.580 --> 0:15:49.100 is it email security? I mean, maybe, but like, yeah, 0:15:49.100 --> 0:15:52.280 to your point, it's more like data security or app security. Um, 0:15:52.280 --> 0:15:55.700 you know, it gets even more like, uh, tricky, like. So, 0:15:55.700 --> 0:15:57.680 for example, I mentioned that I was at Dropbox before 0:15:57.680 --> 0:16:00.020 this company. One of the biggest ways we would see 0:16:00.050 --> 0:16:03.500 Dropbox accounts get hacked is an email account would get hacked, 0:16:03.500 --> 0:16:06.590 and then the adversary would just reset a password to 0:16:06.590 --> 0:16:09.859 Dropbox because, um, back then and I think this is 0:16:09.860 --> 0:16:12.140 still the case, like, even if you had MFA on 0:16:12.140 --> 0:16:15.890 your Dropbox account, if you requested a password reset email, 0:16:15.890 --> 0:16:18.830 Dropbox would let you reset the password without triggering MFA 0:16:18.830 --> 0:16:21.440 because it assumed that if you had lost your first factor, 0:16:21.440 --> 0:16:24.050 you would have also lost your second factor. Um, but 0:16:24.050 --> 0:16:25.820 that means, like if I get access to an email 0:16:25.820 --> 0:16:28.040 account now, all of a sudden every service that is 0:16:28.040 --> 0:16:31.070 connected to that email account, I can just move it to, um, 0:16:31.070 --> 0:16:34.190 this happened, you know, with like, uh, McDonald's. They had 0:16:34.190 --> 0:16:37.100 their Twitter account taken over because someone broke into, like 0:16:37.100 --> 0:16:40.250 a marketing person's email account and then reset the Twitter 0:16:40.250 --> 0:16:43.070 password and they could just post anything they wanted as McDonald's. 0:16:43.070 --> 0:16:46.160 So you kind of see this thing where, like, email 0:16:46.160 --> 0:16:50.120 is really more than just a bad way to deliver something, uh, or, sorry, 0:16:50.120 --> 0:16:52.820 a way to deliver something bad. It is like all 0:16:52.820 --> 0:16:55.520 of these other things open up from an email account 0:16:55.520 --> 0:16:58.190 if you, if you, um, if you get it access once. 0:16:59.060 --> 0:17:02.090 Yeah. I love this idea. It's it's almost like you 0:17:02.090 --> 0:17:04.760 can make a total list of all the bad things 0:17:04.760 --> 0:17:07.820 that can happen around email. Yeah. And then not even 0:17:07.820 --> 0:17:10.250 think about email security. Not even think about any type 0:17:10.250 --> 0:17:13.609 of security. Just make a list of, like, abuse cases. Yeah, yeah. 0:17:13.609 --> 0:17:16.790 And then be like, okay, so where are the different 0:17:16.790 --> 0:17:19.040 layers of control that we could put on this. Is 0:17:19.040 --> 0:17:21.889 this a. And then you could assign the labels afterwards 0:17:21.890 --> 0:17:24.050 and be like this is kind of a data security thing. 0:17:24.050 --> 0:17:27.500 We kind of think of this as appsec or whatever. Yeah. 0:17:27.800 --> 0:17:30.530 And then just be like, look there's like 13 of 0:17:30.530 --> 0:17:33.380 these and they're really important. I mean, what are some 0:17:33.380 --> 0:17:35.000 of the other ones that are kind of like a 0:17:35.000 --> 0:17:38.600 more traditional appsec type control that, that you. 0:17:39.170 --> 0:17:42.949 Um, I think there's so, you know, there's going after data, uh, 0:17:42.950 --> 0:17:46.100 then there's using lateral movement, uh, like I said, with 0:17:46.100 --> 0:17:47.960 the password reset type of stuff. So trying to figure 0:17:47.960 --> 0:17:50.000 out where else I can get from this. So is 0:17:50.000 --> 0:17:53.660 a vector for further attack. Um, the other kind of 0:17:53.660 --> 0:17:56.270 thing that is very common is if I'm in control 0:17:56.270 --> 0:17:59.659 of a mailbox now, I can send email from it, obviously, 0:17:59.660 --> 0:18:02.570 and like impersonate the person who I've just taken over. 0:18:02.570 --> 0:18:05.659 So this is one of the most common ways that like, uh, 0:18:05.660 --> 0:18:09.169 business email compromise happens where, uh, let's say you're a 0:18:09.170 --> 0:18:11.810 big company, you have a vendor that sends you invoices 0:18:11.810 --> 0:18:15.530 every month. Someone takes over the vendor's account, uh, sends 0:18:15.530 --> 0:18:17.780 an email from the vendor that's like, hey, we need 0:18:17.780 --> 0:18:20.660 to change the payment terms of our invoice. And you're like, okay, cool. 0:18:20.660 --> 0:18:22.879 It's coming from the valid email. And now all of 0:18:22.880 --> 0:18:25.639 a sudden, you've wired money to the wrong place, right? So, uh, 0:18:25.640 --> 0:18:29.510 that's another abuse case of taking over a mailbox. Um, 0:18:29.600 --> 0:18:33.470 and but but honestly, there aren't that many. And this 0:18:33.470 --> 0:18:36.379 is kind of like, I, I like your point of, like, 0:18:36.380 --> 0:18:38.750 making that list. Uh, when we started this company, me 0:18:38.750 --> 0:18:42.110 and my, one of my co-founders. Big. We're big into analogies. 0:18:42.109 --> 0:18:44.360 So I'll give you another analogy, right? Like, okay, if 0:18:44.359 --> 0:18:47.210 you're thinking about, like, protecting your house and you have 0:18:47.210 --> 0:18:49.550 to make a list of every single way I could 0:18:49.550 --> 0:18:52.040 break into your house, like, how do I get in? Yep. 0:18:52.040 --> 0:18:54.560 And so that's one list. And now you make another 0:18:54.560 --> 0:18:56.930 list of, like, every single thing. I would actually want 0:18:56.930 --> 0:18:59.660 a value in your house that you really care about. Yes. 0:18:59.660 --> 0:19:02.359 Like which list is shorter? I would argue that second 0:19:02.359 --> 0:19:04.580 list is way shorter, right? It's like okay, like there's 0:19:04.580 --> 0:19:08.359 a few things that like are your crown jewels, uh, 0:19:08.359 --> 0:19:11.360 and you want to protect. So if you take that 0:19:11.359 --> 0:19:14.780 same idea to email security, if you think about every 0:19:14.780 --> 0:19:18.050 single way an email account can be compromised, it is 0:19:18.050 --> 0:19:19.969 like a long list, like I can I can do 0:19:19.970 --> 0:19:23.270 a malicious OAuth application, I can bypass MFA. Maybe I 0:19:23.270 --> 0:19:25.790 get a malicious browser extension, I might steal a personal 0:19:25.790 --> 0:19:29.240 device like client side malware list goes on. And I mean, 0:19:29.240 --> 0:19:32.570 in the case of like some of these state actor attacks, 0:19:32.570 --> 0:19:36.020 it's like literally zero days or, you know, a forged 0:19:36.020 --> 0:19:38.960 token at the Microsoft level. There's like just a long, 0:19:38.960 --> 0:19:41.570 long list. But then what do I actually want? Once 0:19:41.570 --> 0:19:43.310 I get into an email account, it's like 2 or 0:19:43.310 --> 0:19:45.290 3 things like, you know, I want the data that's 0:19:45.290 --> 0:19:48.050 inside the. Mailbox already. I want to move laterally to 0:19:48.050 --> 0:19:51.560 some other services. I want to send outbound email to 0:19:51.560 --> 0:19:54.800 a specific people. So it's just a much, much shorter list. 0:19:54.800 --> 0:19:57.229 And to your point, you can kind of iterate through 0:19:57.230 --> 0:19:59.450 each of those abuse cases and say, what controls can 0:19:59.450 --> 0:20:03.109 I put into place and actually really take a solid 0:20:03.109 --> 0:20:05.570 dent on, like the harm that you can do from 0:20:05.570 --> 0:20:09.260 a compromised mailbox? Um, so I like that way of 0:20:09.260 --> 0:20:10.070 thinking a lot. 0:20:10.950 --> 0:20:15.810 Yeah. Yeah, I think it's really interesting. I love that 0:20:15.810 --> 0:20:19.350 you're thinking in less the same way. I, I very 0:20:19.350 --> 0:20:21.600 much think that way. I think of a risk register 0:20:21.600 --> 0:20:25.650 that way. I think of threat scenarios, uh, attack scenarios 0:20:25.650 --> 0:20:30.420 like defenses. And you kind of just match them up. Yeah. Um, 0:20:30.420 --> 0:20:33.869 I hate to say the a word, but, um, one 0:20:33.869 --> 0:20:37.110 one thing, uh, that I think about a lot is, 0:20:37.109 --> 0:20:40.709 is like, okay, if one of those things is convincing 0:20:40.710 --> 0:20:44.699 somebody to do something. Yes. Like, hey, it's time to go, uh, 0:20:44.700 --> 0:20:47.910 go send this money. I need it urgently. Yeah. You 0:20:47.910 --> 0:20:51.419 can ask, uh, an LLM or AI or whatever. Like 0:20:51.570 --> 0:20:55.980 is is someone applying pressure of urgency here? Yes. Yes. Um, 0:20:55.980 --> 0:20:58.500 and is that sense of urgency tied to a thing 0:20:58.500 --> 0:21:00.840 that matters a lot, like sending money? Yes. 0:21:00.840 --> 0:21:02.040 Right. Yeah. 0:21:02.040 --> 0:21:04.919 So you could just build this, you know, very large 0:21:04.920 --> 0:21:07.140 list of like, all the different bad things. And like 0:21:07.140 --> 0:21:10.290 you said, it's, um, there could be API keys, there 0:21:10.290 --> 0:21:13.500 could be, um, uh, one of the big things a 0:21:13.500 --> 0:21:16.800 lot of foreign actors do, as you know, more than me, 0:21:16.800 --> 0:21:19.889 is like, go after sources and look for, like, with 0:21:19.890 --> 0:21:22.530 reporters and stuff like that. Yes. So if you just 0:21:22.530 --> 0:21:25.740 had this giant grid of like all these different situations 0:21:25.740 --> 0:21:28.800 and be like, oh, this one, we could do LLM 0:21:28.800 --> 0:21:31.350 to detect that this one is just a setting inside 0:21:31.350 --> 0:21:34.350 the platform to do that one. Yes. I love that 0:21:34.350 --> 0:21:35.760 comprehensive approach. 0:21:35.760 --> 0:21:38.760 100% agree with you. Um, and in fact, the thing 0:21:38.760 --> 0:21:41.790 that you just pointed out, we literally use LMS for 0:21:41.790 --> 0:21:43.109 on the detection side because. 0:21:43.109 --> 0:21:43.709 Sometimes. 0:21:43.710 --> 0:21:47.550 Because sometimes, um, you know, to be honest, like a 0:21:47.550 --> 0:21:50.790 lot of the kind of NLU stuff of like detecting 0:21:50.790 --> 0:21:53.760 things like urgency and stuff like that that's been around 0:21:53.760 --> 0:21:57.000 for a while, but then like there's and it didn't 0:21:57.000 --> 0:21:59.580 require LMS, you know, you can train like a traditional 0:21:59.580 --> 0:22:03.149 machine learning model. But what is cool about LMS is 0:22:03.150 --> 0:22:06.420 that the speed of iteration is very fast. So like 0:22:06.420 --> 0:22:09.359 you can very quickly put things in. You don't have 0:22:09.359 --> 0:22:12.960 to worry about things like, you know, multi-language support because 0:22:12.960 --> 0:22:15.899 that's handled by the LM. And then also where it 0:22:15.900 --> 0:22:19.890 really becomes handy is for things that are even more complicated. So, 0:22:19.890 --> 0:22:22.140 you know, I'll give you an example, like if I'm 0:22:22.140 --> 0:22:24.629 a company and I'm trying to protect sensitive email, some 0:22:24.630 --> 0:22:25.800 of it is going to be kind of like the 0:22:25.800 --> 0:22:29.969 classic like Social Security numbers, credit card numbers, whatever. But 0:22:29.970 --> 0:22:31.560 some of it is going to be like, is there 0:22:31.560 --> 0:22:34.020 a negotiation happening in this email thread? 0:22:34.020 --> 0:22:34.950 Yes. 0:22:34.950 --> 0:22:36.780 It's like, how the hell do you how do you 0:22:36.780 --> 0:22:39.689 like write a detection for that? You know, like you write, 0:22:39.690 --> 0:22:43.109 it's really hard. Uh, or like, oh, it's like is 0:22:43.109 --> 0:22:47.220 a executive abusing power in this email thread, uh, where 0:22:47.250 --> 0:22:49.859 like if it got if it leaked like it would like, 0:22:49.859 --> 0:22:52.920 have a reputational damage. Um, that's the kind of stuff 0:22:52.920 --> 0:22:55.800 that is very difficult or like, you know, you see, 0:22:55.830 --> 0:23:00.570 kind of like examples of, like extortion or like blackmail. Um, 0:23:00.570 --> 0:23:04.470 so for those types of things, LMS are fantastic detection 0:23:04.470 --> 0:23:07.650 tools because, I mean, their job is to understand language literally. Right? 0:23:07.650 --> 0:23:11.250 So like, they're very, very good at that. Um, I 0:23:11.250 --> 0:23:15.000 think a lot of the email security discussion with LMS 0:23:15.000 --> 0:23:19.350 has actually been pretty like pessimistic because people's heads immediately 0:23:19.350 --> 0:23:22.320 go to, oh my God, like, this thing can generate text, 0:23:22.320 --> 0:23:24.510 which means it can generate phishing emails. And so like 0:23:24.510 --> 0:23:26.609 now all of a sudden any bad guy can write 0:23:26.609 --> 0:23:31.109 emails and like send them. And, you know, there there 0:23:31.109 --> 0:23:33.390 is an element of truth to that for sure. Because like, 0:23:33.390 --> 0:23:37.710 you can kind of scale up any kind of like phishing, um, uh, 0:23:37.710 --> 0:23:41.340 campaign just by like, you know, doing research via the 0:23:41.340 --> 0:23:45.450 LMS and having it customized. So 100% is a valid 0:23:45.450 --> 0:23:48.840 it's a valid fear. But my kind of answer to 0:23:48.840 --> 0:23:51.720 that has always been like, well, shouldn't your good security 0:23:51.720 --> 0:23:56.310 controls be sort of, um, agnostic to how an attack 0:23:56.310 --> 0:23:58.740 is generated? Like, who cares if it's like a person 0:23:58.740 --> 0:24:01.949 writing the email themselves after hours of research, or they 0:24:01.950 --> 0:24:04.470 just automated it with like an LLM? At the end 0:24:04.470 --> 0:24:06.240 of the day, if you have a good control in place, 0:24:06.240 --> 0:24:10.260 like it shouldn't matter. And so and by the way, 0:24:10.260 --> 0:24:13.080 like a lot of these AI tools like LMS are 0:24:13.080 --> 0:24:16.380 a fantastic on the defensive side too. So I would 0:24:16.380 --> 0:24:18.570 personally like to see a little bit more optimism there. Uh, 0:24:18.570 --> 0:24:21.300 because like so far, a lot of the fear mongering 0:24:21.300 --> 0:24:23.490 around LMS has been, oh God, they're going to write 0:24:23.520 --> 0:24:26.250 ten more phishing emails. And it's like, yes, but like 0:24:26.250 --> 0:24:29.939 your control should work anyway. Good ones at least. And secondly, 0:24:29.940 --> 0:24:32.190 you can also use them on the defensive side. So 0:24:32.190 --> 0:24:34.230 there's there's a lot to be optimistic about. 0:24:34.230 --> 0:24:37.170 Yeah I love that. The way I've been framing that 0:24:37.170 --> 0:24:41.020 is um. Uh, Red is going to have like this 0:24:41.020 --> 0:24:43.960 massive advantage in the beginning because they could just like 0:24:43.960 --> 0:24:46.719 they don't have to experiment and be careful. Yeah. They 0:24:46.720 --> 0:24:49.359 could just like so the spearfishing like, starts the day 0:24:49.359 --> 0:24:51.070 after an LM comes out. Yes. 0:24:51.070 --> 0:24:51.790 Yeah. Exactly. 0:24:51.790 --> 0:24:52.090 Yeah. 0:24:52.090 --> 0:24:56.740 But um, blue should actually get better with those same 0:24:56.740 --> 0:24:57.580 AI tools. 0:24:57.580 --> 0:24:57.970 Yeah. 0:24:57.970 --> 0:25:01.119 So ideally it would be something like oh we have a, 0:25:01.300 --> 0:25:04.390 we have a Sea team member who is like just 0:25:04.390 --> 0:25:07.420 so ego driven. And if you compliment them in any 0:25:07.420 --> 0:25:10.720 way and like say, hey, I want you to lead 0:25:10.720 --> 0:25:13.270 this new foundation or something like they're going to click 0:25:13.270 --> 0:25:14.020 that email. 0:25:14.500 --> 0:25:14.710 Yeah. 0:25:14.710 --> 0:25:16.270 So you flagged that or something. 0:25:16.270 --> 0:25:16.600 Yeah. 0:25:16.840 --> 0:25:19.210 This goes back to what I think so cool about. 0:25:19.210 --> 0:25:19.810 That would be funny. 0:25:19.810 --> 0:25:22.690 It's like this email is complimenting you. You don't ever 0:25:22.690 --> 0:25:24.369 get compliments. This especially. 0:25:24.790 --> 0:25:25.149 Right. 0:25:25.150 --> 0:25:29.020 That's right. And you click on 94 of them 94% 0:25:29.020 --> 0:25:30.940 of them when you do get to compliment. So this 0:25:30.940 --> 0:25:35.850 is dangerous. Um, yeah. Yeah. So it's like. The other 0:25:35.850 --> 0:25:38.730 thing that's really powerful about this is, um, you can 0:25:38.730 --> 0:25:43.500 have additional context customized for your particular company. Yeah. So 0:25:43.500 --> 0:25:46.770 it's like, um, we're doing this thing with France or something. 0:25:46.770 --> 0:25:50.280 It's really sensitive. Yes. And, uh, so anything around that is, 0:25:50.280 --> 0:25:52.110 you know, notch that up two levels. 0:25:52.109 --> 0:25:52.530 Totally. 0:25:52.530 --> 0:25:55.350 Totally. Yeah, yeah. And so, yeah, we've been talking about 0:25:55.350 --> 0:25:59.100 kind of like suspicious or malicious emails, but LMS like 0:25:59.100 --> 0:26:01.770 I think you just alluded to also very helpful for 0:26:01.770 --> 0:26:05.340 the sensitive emails because like yes. Yeah. To your point, 0:26:05.340 --> 0:26:08.550 like maybe today you want to say something like anything 0:26:08.550 --> 0:26:11.040 about this project or we're about to we're prepping to 0:26:11.040 --> 0:26:13.830 go to IPO. Uh, not material, but as a hypothetical. 0:26:13.830 --> 0:26:14.400 Right. Exactly. 0:26:14.400 --> 0:26:19.719 Like it's like, uh. How any conversation around like IPO 0:26:19.720 --> 0:26:22.390 prep is pretty sensitive. Like, but how do you how 0:26:22.390 --> 0:26:25.660 do you declare that as a general sensitive content category, 0:26:25.660 --> 0:26:29.320 it's pretty hard without something like an LLM. So leveraging 0:26:29.320 --> 0:26:33.340 them for those custom detection categories or context specific detection 0:26:33.340 --> 0:26:36.190 categories is very exciting. Um, and I and I think 0:26:36.190 --> 0:26:39.250 that that is the way the, the sort of like, uh, 0:26:39.250 --> 0:26:40.780 security controls are headed. 0:26:41.500 --> 0:26:45.340 Yeah, absolutely. The other use case I thought about for 0:26:45.340 --> 0:26:49.120 a long time about that is like, um, legal companies 0:26:49.119 --> 0:26:50.290 were being attacked. 0:26:50.320 --> 0:26:50.920 Um, law. 0:26:50.920 --> 0:26:54.340 Firms. Yeah. And they have very little IT staff, very 0:26:54.340 --> 0:26:58.090 little security knowledge. Yes. And what they have is this 0:26:58.090 --> 0:27:02.710 list of connections, people interacting with different people. Yeah. Uh, 0:27:02.710 --> 0:27:05.890 suing different people. And it's like, that's the mapping that 0:27:05.890 --> 0:27:07.629 that attacker might want, want to use. 0:27:07.630 --> 0:27:08.560 Yes. Yeah. 0:27:08.560 --> 0:27:11.139 Totally. Well, and that's another I mean, that brings up 0:27:11.140 --> 0:27:14.050 one other point about email that is hard, is that 0:27:14.050 --> 0:27:17.500 the way email works is when when a message is 0:27:17.500 --> 0:27:21.970 sent to multiple people, uh, everyone gets a copy, obviously. Right. 0:27:21.970 --> 0:27:24.850 So there's no like pointer relationship with email. Like you 0:27:24.850 --> 0:27:29.080 each get a copy, which means that one of the 0:27:29.080 --> 0:27:30.790 downsides is that is like you could be doing a 0:27:30.790 --> 0:27:33.609 great job with your own email security and like, you 0:27:33.609 --> 0:27:37.060 could have minimized the impact of a compromised account or whatever. 0:27:37.060 --> 0:27:40.510 But then like the person who was CC'd, like, you know, 0:27:40.510 --> 0:27:42.820 they might have terrible, you know, when when we started 0:27:42.820 --> 0:27:45.340 the company, like I mentioned, it was after the 2016 0:27:45.340 --> 0:27:48.429 election cycle, and one of the attacks that happened then 0:27:48.430 --> 0:27:50.950 was John Podesta, who was Hillary's campaign chairman. He had 0:27:50.950 --> 0:27:54.400 his personal Gmail account compromised, and all of his emails 0:27:54.400 --> 0:27:56.980 were put on Wikileaks, like literally like years and years 0:27:56.980 --> 0:28:00.399 of his personal Gmail. And and there were things in 0:28:00.400 --> 0:28:03.040 there that he was just seized on. He had literally 0:28:03.040 --> 0:28:05.200 no reason to even be on the message. He was 0:28:05.200 --> 0:28:09.400 just CC. And because of that, all this communication that 0:28:09.400 --> 0:28:13.389 was about like the election or about like prepping for 0:28:13.390 --> 0:28:17.560 something that like, frankly, he just was being an FYI on. Yeah. 0:28:17.890 --> 0:28:20.530 You know, um, so I think the, the fact that 0:28:20.530 --> 0:28:23.380 everybody gets a copy is hard. And what that means 0:28:23.380 --> 0:28:25.090 is you kind of have to think about who you're 0:28:25.090 --> 0:28:28.240 like trusted parties are that are outside of your control 0:28:28.240 --> 0:28:31.690 and make sure they have good practices, you know, which 0:28:31.690 --> 0:28:34.119 which becomes a it's kind of like, uh, similar to 0:28:34.119 --> 0:28:37.060 a supply chain security problem, right? Where you're like on 0:28:37.060 --> 0:28:39.670 the software side, you're thinking about all the dependencies your 0:28:39.670 --> 0:28:42.550 software has on the kind of email side, you might 0:28:42.550 --> 0:28:45.970 have to think about all the different, um, associates of 0:28:45.970 --> 0:28:48.820 your company that have, you know, your email as well. 0:28:48.970 --> 0:28:53.290 Yeah. Or like, uh, PCI where the scope is contagious. Yeah. 0:28:53.290 --> 0:28:55.990 It like slightly brushes up against it. Now that's in scope. 0:28:55.990 --> 0:28:59.620 It's like yeah, yeah, yeah. Interesting. Um, so so what 0:28:59.620 --> 0:29:03.550 does it look like to basically onboard the tech. Like 0:29:03.550 --> 0:29:06.520 what does the integration look like. What's the experience like 0:29:06.520 --> 0:29:08.530 how fast can somebody get up and running. 0:29:08.740 --> 0:29:11.080 Yeah. So it's incredibly fast. And the reason for that 0:29:11.080 --> 0:29:14.380 is everything we do uh works with cloud mailboxes which 0:29:14.380 --> 0:29:18.310 have APIs. So our whole integration point, um, is API based. 0:29:18.310 --> 0:29:21.459 It's just an OAuth grant where we are getting access 0:29:21.460 --> 0:29:25.090 to email via API. Uh, which is a big difference 0:29:25.090 --> 0:29:27.790 from like, uh, you know, legacy email security products that 0:29:27.790 --> 0:29:28.600 some folks might. 0:29:28.600 --> 0:29:30.190 Be away or something. Yeah. 0:29:30.190 --> 0:29:32.860 Where you're like changing your DNS and like routing email 0:29:32.860 --> 0:29:35.710 through the appliance, like you're not doing any of that. Um, 0:29:35.710 --> 0:29:38.650 as a result, the integration is very quick. But also 0:29:38.650 --> 0:29:41.980 it means that you don't take some dependency on this 0:29:41.980 --> 0:29:45.100 API based thing going down and like, you know, shutting 0:29:45.100 --> 0:29:47.709 off your email, like, for example, like if material were 0:29:47.710 --> 0:29:49.720 to go down, it's not like email stops flowing. You're 0:29:49.720 --> 0:29:52.930 still you're still doing email as usual. Of course, some 0:29:52.930 --> 0:29:55.270 of the detections material does or some of the mitigations 0:29:55.270 --> 0:29:57.820 it does would be would not be active. But we're 0:29:57.820 --> 0:30:00.940 not in your email flow. Um, so it's pretty quick. 0:30:00.940 --> 0:30:03.430 The other benefit of APIs is you can be very 0:30:03.430 --> 0:30:06.790 selective in how you deploy that, deploy the protection inside 0:30:06.790 --> 0:30:10.030 your company. So for example, with gateways, it's a kind 0:30:10.030 --> 0:30:12.489 of an all or nothing you like do a cutover. Um, 0:30:12.490 --> 0:30:16.060 but with API based email security products, you can say, hey, 0:30:16.060 --> 0:30:19.780 for my executives do X, but for my other team Y, 0:30:19.780 --> 0:30:21.970 you know, you can kind of have different settings, different 0:30:21.970 --> 0:30:25.000 kind of configurations or policies. So that is something that 0:30:25.000 --> 0:30:27.130 a lot of our customers also take advantage of. 0:30:27.760 --> 0:30:30.760 Yeah, that's really cool. And what does it look like 0:30:30.760 --> 0:30:33.550 to know that it's working. Like what is the interface 0:30:33.550 --> 0:30:37.600 look like. Um, if there's nothing wrong, do you just 0:30:37.600 --> 0:30:39.730 not see it? And then does it sort of move 0:30:39.730 --> 0:30:42.340 up the level in priority if it sees something? 0:30:42.340 --> 0:30:43.000 Yeah. 0:30:43.000 --> 0:30:45.340 Well, we have a few different products. So depending on 0:30:45.340 --> 0:30:47.080 the product we're talking about, you know, what you would 0:30:47.080 --> 0:30:49.630 see is slightly different. So one of our products that 0:30:49.630 --> 0:30:52.270 we've been talking about a little bit so far is uh, 0:30:52.270 --> 0:30:55.690 we go and redact sensitive messages that are older than 0:30:55.690 --> 0:31:00.250 some specified time frame. And uh, and then an end 0:31:00.250 --> 0:31:03.250 user has to pass like an Okta challenge or some 0:31:03.250 --> 0:31:06.490 sort of secondary challenge. Uh, it can be really any 0:31:06.520 --> 0:31:09.940 IDP or so. If they pass that, then we restore 0:31:09.940 --> 0:31:12.670 the message right back into the mailbox. It's really seamless. 0:31:12.670 --> 0:31:14.590 And then after some amount of time, once the user 0:31:14.590 --> 0:31:16.770 is kind of done with it, we will redact. Did again. 0:31:16.770 --> 0:31:19.950 So for that product, what you see as an IT 0:31:19.950 --> 0:31:23.760 or security admin is really not much on a day 0:31:23.760 --> 0:31:25.469 to day basis, because it's kind of like just in 0:31:25.470 --> 0:31:28.380 the background doing its thing. Uh, you do get an 0:31:28.380 --> 0:31:32.070 access request log. So every time someone is accessing one 0:31:32.070 --> 0:31:34.410 of these sensitive messages and having to do the retrieval, 0:31:34.410 --> 0:31:37.500 now there's a paper trail of that, obviously you could 0:31:37.500 --> 0:31:40.620 you could pipe that into like a SIM or something 0:31:40.620 --> 0:31:42.360 and say, okay, like if I'm seeing a lot of 0:31:42.360 --> 0:31:46.230 these from someone at the same time, that's that's indicative 0:31:46.230 --> 0:31:47.970 of something bad. Or if I'm getting a lot of 0:31:47.970 --> 0:31:50.550 denials in a row, obviously, that that ends up being 0:31:50.550 --> 0:31:53.790 something bad, but really there's nothing to like, detect or 0:31:53.790 --> 0:31:56.130 show on a daily basis because people are just doing 0:31:56.130 --> 0:32:01.140 a self-serve, secure workflow for accessing sensitive content. Um, on 0:32:01.140 --> 0:32:03.300 the other hand, we do have a product that is 0:32:03.300 --> 0:32:05.910 a much more in the kind of traditional look for 0:32:05.910 --> 0:32:09.450 sophisticated attacks that bypass like Google or Microsoft or Proofpoint 0:32:09.450 --> 0:32:12.690 or whatever. Um, and there you have like a, you know, 0:32:12.690 --> 0:32:15.719 an incidence or cases list where you're seeing kind of 0:32:15.720 --> 0:32:19.590 what material actually detected. Some companies set us up where 0:32:19.590 --> 0:32:21.840 we're just auto remediating those. And again, you don't really 0:32:21.840 --> 0:32:23.730 have to log into the console. There's nothing to see. 0:32:23.730 --> 0:32:26.970 We're just handling them. Other teams are much more hands 0:32:26.970 --> 0:32:29.400 on where they might auto remediate, but then they want 0:32:29.400 --> 0:32:31.650 to still like triage the things that we actually caught 0:32:31.650 --> 0:32:35.100 make sure they're not false positives. Um, you know, communicate 0:32:35.100 --> 0:32:37.620 to end users about it, have their sort of, um, 0:32:37.620 --> 0:32:41.250 SoC watch. That kind of really depends on how much, um, 0:32:41.250 --> 0:32:43.380 how hands on a company wants to be. But that's 0:32:43.380 --> 0:32:44.760 what they would see in the console. 0:32:45.330 --> 0:32:49.560 Okay, cool. And then what is, um, the threat intelligence 0:32:49.560 --> 0:32:51.660 story look like in terms of like, hey, there's this 0:32:51.660 --> 0:32:54.930 new campaign happening, this new vulnerability or whatever. Yeah. And 0:32:54.930 --> 0:32:57.660 it's like it's being blasted all over the internet. Yeah. Like, 0:32:57.660 --> 0:33:00.180 what does that turnaround gap look like for you in 0:33:00.180 --> 0:33:03.330 terms of like, uh, finding out about it and getting 0:33:03.330 --> 0:33:04.890 into the product and rolling it out? 0:33:04.890 --> 0:33:07.650 Yeah, it's a great question. Um, yeah. So email is 0:33:07.650 --> 0:33:11.550 super dynamic. There's like always new kinds of campaigns. And 0:33:11.550 --> 0:33:14.190 people are, uh, you know, trying out new tactics to 0:33:14.190 --> 0:33:17.070 bypass kind of a lot of the traditional defenses. So 0:33:17.070 --> 0:33:19.410 like one of the, one of the more recent things 0:33:19.410 --> 0:33:22.650 is like QR codes, right? Like for a while, like 0:33:22.650 --> 0:33:25.560 a lot of detection engines weren't exploding QR codes or 0:33:25.560 --> 0:33:27.510 following the links. So that meant that like QR codes 0:33:27.510 --> 0:33:30.660 were a really great way to deliver attacks. Um, we 0:33:30.660 --> 0:33:33.720 have a couple different mechanisms. So first of all, one 0:33:33.720 --> 0:33:36.660 of the things our product does is it also ingests 0:33:36.660 --> 0:33:39.960 any user reporting that is happening inside a company. So 0:33:39.960 --> 0:33:42.270 one of the best practices that every security team tries 0:33:42.270 --> 0:33:45.150 to implement is they say, hey, uh, if you see something, 0:33:45.180 --> 0:33:48.090 say something, right? Like, uh, and with email security, what 0:33:48.090 --> 0:33:50.520 that normally looks like in most companies is, hey, we 0:33:50.520 --> 0:33:53.670 have this like phishing mailing list, or we have like a, 0:33:53.670 --> 0:33:57.000 like a, like a report phishing button or something where 0:33:57.000 --> 0:33:59.580 please report it to us if you see something. So 0:33:59.580 --> 0:34:02.490 we have a product that automates the response to those 0:34:02.490 --> 0:34:05.729 user reports. So it ingests them. It auto classifies and 0:34:05.730 --> 0:34:09.030 triages them, uh, looks for similar messages that the user 0:34:09.030 --> 0:34:12.180 may not have reported, and then even responds back to 0:34:12.180 --> 0:34:14.700 the user saying, hey, thanks for this report. Uh, it 0:34:14.700 --> 0:34:17.489 was fine. Or actually that was a true positive. That 0:34:17.489 --> 0:34:20.910 was bad. Anyway, so that ends up being a great 0:34:20.910 --> 0:34:24.480 signal because across all customers, if they are users that 0:34:24.480 --> 0:34:27.540 are reporting things that then we know are actually malicious, 0:34:27.540 --> 0:34:29.850 that's a you know, we think of that as like 0:34:29.850 --> 0:34:31.890 a oh, well, why didn't material just flag that in 0:34:31.890 --> 0:34:34.830 the first place. And so it becomes this feedback loop. Um, 0:34:34.830 --> 0:34:37.710 so the more customers we have, the more signal we 0:34:37.710 --> 0:34:39.989 have from users reporting things. And we can quickly like 0:34:39.989 --> 0:34:42.450 build it back into the product. The other thing is 0:34:42.450 --> 0:34:45.029 we do have an in-house threat research team. You know, 0:34:45.030 --> 0:34:48.270 their whole job is like focused on looking for these 0:34:48.270 --> 0:34:51.660 active campaigns that are happening, looking for what some of 0:34:51.660 --> 0:34:54.900 our more sophisticated customers are telling us that they're seeing, 0:34:54.900 --> 0:34:57.779 and then quickly kind of iterating on our detection engine 0:34:57.780 --> 0:35:01.380 to handle them. And then the the sort of like 0:35:01.380 --> 0:35:06.270 last piece of this is, um, just investing in a 0:35:06.270 --> 0:35:09.899 system that has a lot of flexibility. So in in 0:35:09.900 --> 0:35:13.109 email security, there's kind of this interesting not like really 0:35:13.110 --> 0:35:15.810 a debate, but there's this interesting kind of, uh, trend 0:35:15.810 --> 0:35:18.180 emerging where there's a couple different approaches to the email 0:35:18.180 --> 0:35:21.090 security problem. Like on the one hand, there's kind of 0:35:21.090 --> 0:35:24.540 like the black box approach, which is like, hey, like AI, 0:35:24.540 --> 0:35:26.460 machine learning, we're going to try to detect what we 0:35:26.460 --> 0:35:29.549 can and like there aren't really knobs and tuning and 0:35:29.550 --> 0:35:31.500 all that, but like this model is going to be 0:35:31.500 --> 0:35:33.900 way better than trying to like handwrite a lot of rules. 0:35:33.900 --> 0:35:36.359 Which makes sense because, you know, a lot of times 0:35:36.360 --> 0:35:38.460 you have like never before seen attacks or you have 0:35:38.460 --> 0:35:41.100 like things that are like, you know, there's no signature 0:35:41.100 --> 0:35:43.380 that you can kind of rely on. And also, like, 0:35:43.380 --> 0:35:45.480 no one wants to maintain this big list of rules 0:35:45.480 --> 0:35:47.459 and things like that. So that's kind of one extreme. 0:35:47.460 --> 0:35:50.850 The other extreme is, uh, you know, you're kind of 0:35:50.850 --> 0:35:55.080 seeing like the detection as code, um, philosophy coming to 0:35:55.080 --> 0:35:57.660 email security as well. And people are like, hey, we 0:35:57.660 --> 0:36:00.120 have this list of detections we maintain we're going to 0:36:00.120 --> 0:36:01.859 back test them. We're going to make sure they have 0:36:01.860 --> 0:36:04.680 like a good precision rate. Um, and it gives a 0:36:04.680 --> 0:36:06.989 lot of control, but it means you're doing a lot yourself. 0:36:06.989 --> 0:36:09.630 You're hand tuning a lot of things. And there are 0:36:09.630 --> 0:36:12.509 products that kind of help you and make that easier. 0:36:12.510 --> 0:36:14.609 There are products that help you maintain that, you know, 0:36:14.610 --> 0:36:17.960 we have customers that. Maintain like GitHub repositories of like 0:36:17.960 --> 0:36:21.290 detections they've written, but it is kind of like very manual. 0:36:21.290 --> 0:36:23.450 And then there's kind of somewhere in the middle where 0:36:23.450 --> 0:36:26.540 you're like, hey, I don't want to be full black 0:36:26.540 --> 0:36:28.700 box because they are going to be things that you miss. 0:36:28.700 --> 0:36:31.100 And in those moments, like, you don't want to be like, oh, 0:36:31.100 --> 0:36:32.839 I guess I'll just wait for the black box to 0:36:32.840 --> 0:36:35.510 update and catch this. But on the other hand, you 0:36:35.510 --> 0:36:37.730 really don't want to live in a world where most 0:36:37.730 --> 0:36:39.920 of your time as a security team is spent on 0:36:39.920 --> 0:36:43.700 like tuning or creating these, like, detections. Um, and so 0:36:43.700 --> 0:36:46.100 what we're trying to do is like out of the box. 0:36:46.100 --> 0:36:49.580 It's like, you know, going to be perfectly fine, have 0:36:49.580 --> 0:36:52.339 a lot of coverage, pretty high precision, but then still 0:36:52.340 --> 0:36:55.219 give you tools in the product where if you notice something, 0:36:55.219 --> 0:36:57.620 if like you're aware of an active campaign that we're not, 0:36:57.620 --> 0:37:00.379 you can quickly like express a detection in our product 0:37:00.380 --> 0:37:04.250 or express a rule or a search query that will say, hey, 0:37:04.250 --> 0:37:06.890 please treat this as malicious. Like, I know your whole 0:37:06.890 --> 0:37:09.650 product hasn't updated yet, but like I know this is bad, 0:37:09.650 --> 0:37:11.779 I just want to express it in your platform. I 0:37:11.780 --> 0:37:14.900 should be able to. Um, so it's kind of a 0:37:14.900 --> 0:37:18.830 product design philosophy, right? Which is like have the kind 0:37:18.830 --> 0:37:21.440 of flexibility so that when you need it, it's available. 0:37:21.440 --> 0:37:24.259 But treat that as almost an anti metric. Like if 0:37:24.260 --> 0:37:27.860 people are having to create those flexible leverage that flexibility 0:37:27.860 --> 0:37:30.469 a lot. It means you're kind of doing something wrong, right. 0:37:30.469 --> 0:37:32.690 Like you really should have done it out of the box. 0:37:32.690 --> 0:37:33.469 I absolutely. 0:37:33.469 --> 0:37:36.470 Love that. I don't know if, um, you ever watch 0:37:36.469 --> 0:37:39.049 Star Trek The Next Generation, but I was obsessed with 0:37:39.050 --> 0:37:41.510 I was obsessed with the fact that the first time 0:37:41.510 --> 0:37:44.210 they hit a Borg with the phaser. Yeah, like it 0:37:44.210 --> 0:37:47.900 would fall over dead. And like, the third time the 0:37:47.900 --> 0:37:52.220 entire Borg across the entire universe was updated. Yeah. And like, 0:37:52.219 --> 0:37:55.040 that frequency would not work anymore. And I was just like, yeah, 0:37:55.040 --> 0:37:58.070 that is, you know, I mean, security maybe. 0:37:58.310 --> 0:37:58.850 Yeah. 0:37:58.850 --> 0:38:00.859 I've never thought about it that way, but so true. 0:38:00.860 --> 0:38:01.640 Yeah, yeah. 0:38:01.640 --> 0:38:05.450 So that signal that they create that would obviously apply 0:38:05.450 --> 0:38:07.910 to their local environment. But is that is that also 0:38:07.910 --> 0:38:11.029 a signal to the, uh, the T team to be like, hey, 0:38:11.030 --> 0:38:12.319 maybe we should put this in. 0:38:12.320 --> 0:38:15.739 Yes, absolutely. And, um, one thing that we are very 0:38:15.739 --> 0:38:18.440 conscious of is like, obviously we're getting access to a 0:38:18.440 --> 0:38:22.610 companies like email. It's very, very sensitive. So, so the 0:38:22.610 --> 0:38:27.170 whole material deployment and architecture, uh, model is that every 0:38:27.170 --> 0:38:31.160 single customer has a single tenant environment that is actually 0:38:31.160 --> 0:38:33.500 in their control. So they, they don't just get access 0:38:33.500 --> 0:38:36.890 to our admin console like other SaaS, they actually can 0:38:36.890 --> 0:38:39.680 log in to the underlying infrastructure that is hosting our 0:38:39.680 --> 0:38:42.890 application because it's all single tenant. And so we get 0:38:42.890 --> 0:38:45.589 to make some pretty cool guarantees, like of isolation and 0:38:45.590 --> 0:38:48.620 making sure that there's no data sharing happening and that like, 0:38:48.620 --> 0:38:52.040 data isn't leaving that instance unless it's permitted by a customer. 0:38:52.400 --> 0:38:55.400 Having said that, though, a lot of our customers are 0:38:55.400 --> 0:38:59.420 okay with a threat research team extracting the signal of, okay, what, 0:38:59.420 --> 0:39:01.670 you know, what custom detections did you make or what 0:39:01.670 --> 0:39:04.160 did your user reports? So where we have permission, which 0:39:04.160 --> 0:39:06.590 tends to be in most cases, we are able to 0:39:06.590 --> 0:39:08.690 look for those signals. But I do want to point 0:39:08.690 --> 0:39:10.880 out that there are some customers who are like, nope, sorry. 0:39:10.880 --> 0:39:13.460 Like this is too sensitive. Like we don't want your 0:39:13.460 --> 0:39:17.060 team or anyone in material to have any access to 0:39:17.060 --> 0:39:19.940 what we're doing. You can you can configure and deploy 0:39:19.940 --> 0:39:21.950 us that way as well. And you know, there's kind 0:39:21.950 --> 0:39:24.800 of like you can probably guess the types of organizations 0:39:24.800 --> 0:39:26.780 that want to deploy us in that model. 0:39:26.960 --> 0:39:28.850 No, that's a great point. And it goes to your 0:39:28.850 --> 0:39:32.300 earlier point about flexibility. It's like you could be that 0:39:32.300 --> 0:39:36.200 like three letter agency type group. That's like all closed doors. 0:39:36.230 --> 0:39:38.960 Or it could be like, yeah, sharing with the Borg 0:39:38.960 --> 0:39:39.590 or whatever. 0:39:39.590 --> 0:39:40.070 Yeah. 0:39:40.070 --> 0:39:42.799 Yeah. Exactly. And you know, and like the nice thing 0:39:42.800 --> 0:39:46.400 here is like obviously like for these attacks and stuff 0:39:46.400 --> 0:39:49.580 for the most part, like even just like getting like 0:39:50.060 --> 0:39:53.090 anonymized data in terms of like, like it doesn't really matter. 0:39:53.090 --> 0:39:56.120 Like which tenant or which customer it's targeting. It's just 0:39:56.120 --> 0:39:58.160 a fact that like, it got missed. It's something you 0:39:58.160 --> 0:40:00.319 can tweak so you kind of don't have to reveal 0:40:00.320 --> 0:40:04.160 anything to other customers by participating in this. But having 0:40:04.160 --> 0:40:06.410 said that, yeah, some some companies are just a lot 0:40:06.410 --> 0:40:10.370 more closed and a lot more strict. And and that's okay. Uh, 0:40:10.370 --> 0:40:12.560 we also have the other extreme where there's companies that 0:40:12.560 --> 0:40:14.810 are like, dude, I just want to use this as SaaS. Like, 0:40:14.810 --> 0:40:17.000 I don't care about the infrastructure. Like, I don't have 0:40:17.000 --> 0:40:19.700 teams that like, want to, like, log into that and like, 0:40:19.700 --> 0:40:22.520 I'm busy. Just just give me an admin console. That's 0:40:22.520 --> 0:40:24.620 fine too, you know, like, uh, so we kind of 0:40:24.620 --> 0:40:26.450 have support all of those models. 0:40:27.110 --> 0:40:29.840 Okay. And what are the main products? I think we've 0:40:29.870 --> 0:40:32.450 talked about 2 or 3 already, but like what what 0:40:32.450 --> 0:40:33.859 are the main core products. 0:40:33.860 --> 0:40:37.610 Yeah. So we have four main products. So the first 0:40:37.610 --> 0:40:39.649 that we've been talking about is data protection. And that's 0:40:39.650 --> 0:40:43.550 really focused on giving you visibility. And then the redaction 0:40:43.550 --> 0:40:46.520 of sensitive messages that are in email. And again not 0:40:46.520 --> 0:40:50.630 like outbound emails, not things I'm now sending, but really 0:40:50.630 --> 0:40:53.029 focused on what's sitting in your archives that's going to 0:40:53.030 --> 0:40:55.640 get you in trouble if a, if a mailbox was compromised, 0:40:55.640 --> 0:40:57.620 or if an insider was trying to walk with a 0:40:57.620 --> 0:40:59.720 lot of email on their last day or something. So 0:40:59.719 --> 0:41:03.020 that's one. The second product is, uh, phishing protection. So 0:41:03.020 --> 0:41:05.810 that is kind of the traditional email security where we're 0:41:05.810 --> 0:41:10.040 looking for inbound attacks that may have been missed by 0:41:10.040 --> 0:41:12.350 like a Google or a Microsoft or whatever other traditional 0:41:12.350 --> 0:41:15.020 defenses you have in place. The third is a product 0:41:15.020 --> 0:41:18.330 we call identity. Protection, where it's really focused on that 0:41:18.330 --> 0:41:20.910 Dropbox example of like, hey, if you get into my 0:41:20.910 --> 0:41:24.270 email account, can you now go reset Dropbox because you 0:41:24.270 --> 0:41:27.420 just request a password reset? Or can you go to 0:41:27.420 --> 0:41:28.890 slack and say, hey, can you send me one of 0:41:28.890 --> 0:41:31.350 those magic sign in links? And then I can just 0:41:31.350 --> 0:41:33.900 get into a slack workspace, even if slack is behind 0:41:33.900 --> 0:41:36.510 so or MFA or whatever. Yeah. You literally click these 0:41:36.510 --> 0:41:38.190 magic sign in links bypass link. 0:41:38.190 --> 0:41:38.550 Yeah. 0:41:38.940 --> 0:41:41.670 Um, so what we do there is something again, very simple. 0:41:41.670 --> 0:41:44.520 It's another seat belt where we intercept those kinds of 0:41:44.520 --> 0:41:47.609 messages and we make the end user prove that they 0:41:47.610 --> 0:41:50.520 were the ones who actually requested them before delivering them. 0:41:50.520 --> 0:41:53.160 So it's very simple. Like you go request a Dropbox 0:41:53.160 --> 0:41:56.670 password reset. Now you first get an email from material 0:41:56.670 --> 0:41:59.040 that says, hey, are you trying to reset your Dropbox password? 0:41:59.040 --> 0:42:01.890 If you say yes, the Dropbox password reset email comes 0:42:01.890 --> 0:42:04.320 in as usual. You go about your merry way. If 0:42:04.320 --> 0:42:07.170 you say no, though, it means like I can't be 0:42:07.170 --> 0:42:09.330 in your mailbox and then go get access to these 0:42:09.330 --> 0:42:13.770 lateral things. And in a in a typical enterprise organization, 0:42:13.770 --> 0:42:16.470 which is what we normally kind of sell to, um, 0:42:16.469 --> 0:42:19.469 you will see hundreds of apps that are still doing 0:42:19.469 --> 0:42:23.100 password resets or sign up verifications over email, even though 0:42:23.100 --> 0:42:26.250 they're supposed to be under SSL. So like a common 0:42:26.250 --> 0:42:30.690 culprit is like Salesforce, uh, or, you know, workday where 0:42:30.690 --> 0:42:33.989 like you think they're behind. So or ADP is another 0:42:33.989 --> 0:42:36.090 one where you think you've kind of handled them, but 0:42:36.090 --> 0:42:38.550 there's some backdoor happening over email that you like, forgot 0:42:38.550 --> 0:42:41.760 about or you misconfigured. And then there's all these like 0:42:41.760 --> 0:42:44.730 consumer apps that are like not never going to support 0:42:44.730 --> 0:42:47.340 SFO but are still valid in the corporate settings. So 0:42:47.340 --> 0:42:49.920 like Twitter I gave as an example. Right. Like obviously 0:42:49.920 --> 0:42:51.960 your marketing team has a Twitter account, but Twitter is 0:42:51.960 --> 0:42:55.650 not going to support any type of identity thing. Um, 0:42:56.040 --> 0:42:58.680 and then our fourth product is basically what we call 0:42:58.680 --> 0:43:02.219 posture management. And it really is about helping you understand 0:43:02.219 --> 0:43:05.430 what's even going on with your email environment, uh, and 0:43:05.430 --> 0:43:09.960 broadly your Google Workspace or M365 environment. So for example, um, 0:43:09.960 --> 0:43:12.870 when I was at Dropbox, if I walked into our 0:43:12.870 --> 0:43:16.919 company and created a auto forward of all of my 0:43:16.920 --> 0:43:21.000 corporate mail to my personal Gmail, literally no one would 0:43:21.000 --> 0:43:23.549 know and no one would come and do anything about it. 0:43:23.550 --> 0:43:26.879 And the reason is because, um, just getting that kind 0:43:26.880 --> 0:43:30.030 of information out of like some of these productivity suites 0:43:30.030 --> 0:43:32.550 can be very hard. And a lot of times people 0:43:32.550 --> 0:43:35.880 haven't really built like detection or response playbooks around them, 0:43:35.880 --> 0:43:39.270 and they can't outright block this kind of behavior from 0:43:39.270 --> 0:43:42.450 happening because sometimes they are legitimate use cases for auto forwards, 0:43:42.450 --> 0:43:44.100 for example. So you can't just like block it at 0:43:44.100 --> 0:43:47.400 the tenant level. So we look for all sorts of 0:43:47.400 --> 0:43:52.830 behavior or settings or misconfigurations in M365 or Google Workspace, 0:43:52.830 --> 0:43:55.470 and we just surfaced them with recommendations of how to 0:43:55.469 --> 0:43:58.589 reduce that kind of risk. And that's part of the 0:43:58.590 --> 0:44:01.020 posture management product. So yeah, those are the four. 0:44:01.560 --> 0:44:04.980 Yeah. Those are those are great. That is they all 0:44:04.980 --> 0:44:08.820 do definitely complement each other. I really like the last one, 0:44:08.820 --> 0:44:12.029 especially because I feel like that is so much of 0:44:12.030 --> 0:44:15.660 the game is like just not knowing. It's like leaving 0:44:15.660 --> 0:44:19.230 open S3 buckets. It's like you're spending all this money 0:44:19.230 --> 0:44:22.230 on security and then you've got this thing dangling. Yeah. 0:44:22.230 --> 0:44:25.830 And uh, yeah, there's so many settings as well. So 0:44:25.830 --> 0:44:26.580 it's hard for me. 0:44:26.969 --> 0:44:29.069 I actually think that, you know, it's a funny story 0:44:29.070 --> 0:44:31.650 about that. When we first started the company, it was 0:44:31.650 --> 0:44:35.250 just the data protection, uh, feature, the redaction one. That's 0:44:35.250 --> 0:44:36.960 really what led us to start this company in the 0:44:36.960 --> 0:44:40.379 first place. When we went and talked to CISOs or 0:44:40.380 --> 0:44:43.169 security teams about that, the first question we would obviously 0:44:43.170 --> 0:44:46.590 get is like, hey, cool. Like you have this awesome 0:44:46.590 --> 0:44:50.400 control for sensitive content in the mailbox. What sensitive content 0:44:50.400 --> 0:44:52.920 do I even have in mailboxes? Like, right. Like, do 0:44:52.920 --> 0:44:55.200 I even need this? Like, I have no idea. Like, 0:44:55.200 --> 0:44:57.660 it's like, I suspect that I probably need this, but like, 0:44:57.660 --> 0:45:00.450 I have no idea. And so we were like, oh shit. Like, 0:45:00.450 --> 0:45:03.300 obviously like step one is to give you visibility and 0:45:03.300 --> 0:45:06.990 help you understand what even is there. And so, like, selfishly, 0:45:06.989 --> 0:45:09.180 for us, it kind of helped us tell the story 0:45:09.180 --> 0:45:10.980 of why you need some of the controls that we're 0:45:10.980 --> 0:45:15.180 talking about, but also for, for security teams, it's often 0:45:15.180 --> 0:45:17.640 step one anyway, which is just like, okay, like now 0:45:17.640 --> 0:45:19.560 I have a lay of the land. The other thing 0:45:19.560 --> 0:45:22.530 is you kind of mentioned the S3 bucket. And that 0:45:22.530 --> 0:45:26.100 I think is a really great point. Like it is 0:45:26.100 --> 0:45:29.490 a very well understood in cloud security that like, you know, 0:45:29.489 --> 0:45:33.660 Cspm is like cnaps all this stuff like are very, 0:45:33.660 --> 0:45:36.600 you know, well understood category. People understand why they need 0:45:36.630 --> 0:45:39.359 them because there's all this stuff happening in your cloud environment. 0:45:39.360 --> 0:45:43.980 There's different teams, uh, creating like software, uh, all these 0:45:43.980 --> 0:45:46.830 settings to think about. And so you need a platform 0:45:46.830 --> 0:45:49.830 that's like looking at behavior, looking at vulnerabilities and kind 0:45:49.830 --> 0:45:53.100 of like showcasing the top, riskiest ones and helping you 0:45:53.100 --> 0:45:57.060 address them literally, word for word. Everything I just said 0:45:57.060 --> 0:46:01.410 applies to the productivity suite, right? Like M365 and Google Workspace. 0:46:01.410 --> 0:46:05.009 And yet there isn't really a cspm equivalent for just 0:46:05.010 --> 0:46:10.440 those products. There's there are SPM tools where they're like, oh, well, 0:46:10.440 --> 0:46:13.980 we cover 50 apps and M365 is one of them. 0:46:13.980 --> 0:46:16.500 And because they cover 50. The apps. It's hard for 0:46:16.500 --> 0:46:19.860 them to go deep on the productivity suite. Um, and 0:46:19.860 --> 0:46:23.399 so they'll give a some surface level detections, but the 0:46:23.400 --> 0:46:25.980 sort of like depth of a cspm that is entirely 0:46:25.980 --> 0:46:30.690 focused on cloud security does not exist for the productivity suite. 0:46:30.690 --> 0:46:33.270 And it's an area that we're at material like, very 0:46:33.270 --> 0:46:36.570 excited about pursuing, because I don't really see a good 0:46:36.570 --> 0:46:38.189 reason that there isn't an equivalent. 0:46:39.020 --> 0:46:42.469 Yeah, especially when the implications of a setting being one 0:46:42.469 --> 0:46:47.090 way versus another are so huge. Yeah, right. And there's 0:46:47.090 --> 0:46:49.310 also a lot of opportunity there to be like, look 0:46:49.310 --> 0:46:52.160 you are this type of risk posture of a company. 0:46:52.160 --> 0:46:55.430 You really care about these relationships or whatever. So out 0:46:55.430 --> 0:46:59.570 of the 312 settings available in this platform, we recommend 0:46:59.570 --> 0:47:00.740 the following settings three. 0:47:00.739 --> 0:47:03.049 Yeah, totally. Um, and it's kind of similar to what 0:47:03.050 --> 0:47:04.700 you were saying earlier, right? Like if you make a 0:47:04.700 --> 0:47:08.450 register of the like most common attacks anyway, and you 0:47:08.450 --> 0:47:11.089 just start with that, like here, here, like the 10 0:47:11.090 --> 0:47:14.240 or 15 things that like are almost always the culprits 0:47:14.239 --> 0:47:17.509 like and again, Cspm learned that a while ago and 0:47:17.510 --> 0:47:19.819 I think they're like, okay. Yeah. Like we keep leaving 0:47:19.820 --> 0:47:23.000 buckets open, like, let's stop doing this. You know, I 0:47:23.000 --> 0:47:26.540 think that there are equivalents, uh, in, for example, like 0:47:26.540 --> 0:47:28.940 we have a product, we have a fifth product that 0:47:28.940 --> 0:47:31.910 I actually forgot to mention that is very new, and 0:47:31.910 --> 0:47:34.549 it focuses on Google Drive. So a lot of the 0:47:34.550 --> 0:47:36.740 same stuff that we had heard over the years with 0:47:36.739 --> 0:47:40.760 sensitive content in email, people were like, our customers were like, hey, 0:47:41.150 --> 0:47:43.100 I have a lot of these problems with Google Drive, 0:47:43.100 --> 0:47:47.180 like just the files. And, um, and that product is 0:47:47.180 --> 0:47:50.060 all about detecting kind of oversharing, because a lot of 0:47:50.060 --> 0:47:53.270 times what happens is it literally equivalent to the S3 bucket? 0:47:53.270 --> 0:47:55.940 You might have some file that was shared at one 0:47:55.940 --> 0:47:59.450 point with anyone with the link permissions, uh, even though 0:47:59.450 --> 0:48:01.910 like it didn't need to be and it's got sensitive content. 0:48:01.910 --> 0:48:03.680 And now it's been two years since anyone has ever 0:48:03.680 --> 0:48:07.130 looked at it. But, you know, it's mentioned in some 0:48:07.130 --> 0:48:09.109 email that might be part of a breach. And now 0:48:09.110 --> 0:48:11.960 all of a sudden it's accessible. So how do you 0:48:11.960 --> 0:48:13.640 go clean that up? Like you're not going to have 0:48:13.640 --> 0:48:16.759 a security team that's sitting around like auditing their Google Drive, 0:48:16.760 --> 0:48:19.520 which has like millions of files. So you can automate that. 0:48:19.520 --> 0:48:21.530 You can do things like, hey, if it has sensitive 0:48:21.530 --> 0:48:24.589 content and it also has these permissions like revoke them 0:48:24.590 --> 0:48:26.660 in this way and notify the owner so you can 0:48:26.660 --> 0:48:30.620 build workflows and kind of get the end users involved. 0:48:30.620 --> 0:48:32.840 Because that's the only way to have like a tenable 0:48:32.840 --> 0:48:35.360 solution there. Otherwise you're just going to have a security 0:48:35.360 --> 0:48:37.700 team that is trying to like, go through a giant 0:48:37.700 --> 0:48:40.130 backlog of these and will never prioritize it. And it's 0:48:40.130 --> 0:48:42.290 just one of those, like, active risks just sitting there. 0:48:42.560 --> 0:48:44.780 Um, yeah, absolutely. 0:48:44.780 --> 0:48:48.920 Any new research or new new exciting stuff coming out soon? 0:48:49.400 --> 0:48:52.160 Yeah. The thing that I'm very excited about is kind 0:48:52.160 --> 0:48:53.900 of what I was alluding to. So maybe I'll describe 0:48:53.900 --> 0:48:56.180 it in a little bit more detail. But basically we 0:48:56.180 --> 0:48:59.450 think that, um, there is an opportunity to do more 0:48:59.450 --> 0:49:02.270 than just email. Email is just one part of this 0:49:02.270 --> 0:49:06.650 suite of products, obviously, uh, which includes like files and 0:49:06.650 --> 0:49:09.799 chat and all the posture and settings that come with 0:49:09.800 --> 0:49:13.280 the productivity suites. And we kind of want to broaden 0:49:13.280 --> 0:49:16.370 and cover more and more of that. Uh, and so 0:49:16.370 --> 0:49:20.210 the really new thing for us is broadening beyond email. 0:49:20.210 --> 0:49:22.760 We did that with Google Drive. Um, we plan to 0:49:22.760 --> 0:49:26.210 do something similar on the Microsoft side in the future. Um, 0:49:26.210 --> 0:49:29.569 and then, uh, where it gets really interesting though, is 0:49:29.570 --> 0:49:32.600 you now unlock kind of new types of correlations. You 0:49:32.600 --> 0:49:37.460 can do if you have access to content, uh, settings 0:49:37.460 --> 0:49:40.850 and logs, you can really correlate these things together. So 0:49:40.850 --> 0:49:43.969 like let me give you a simple example. Um, let's 0:49:43.969 --> 0:49:48.109 say that I have a Google group that allows external 0:49:48.110 --> 0:49:50.509 people to post to it. That is a very common 0:49:50.510 --> 0:49:53.359 thing that exists in basically every company because you have 0:49:53.360 --> 0:49:57.050 like support at or you have like, you know, help 0:49:57.050 --> 0:49:59.719 at or whatever. But now let's say that that Google 0:49:59.719 --> 0:50:03.350 Group also has weak moderation settings, spam moderation settings, which, 0:50:03.350 --> 0:50:05.660 by the way, is their default for Google groups. Don't 0:50:05.660 --> 0:50:08.089 ask me why, but that's the default. Okay, so that's 0:50:08.090 --> 0:50:10.850 a little worse because now I can like, use this 0:50:10.850 --> 0:50:15.469 Google group to send you, uh, malicious emails that may 0:50:15.469 --> 0:50:18.680 bypass your like, existing controls because the spam moderation settings 0:50:18.680 --> 0:50:21.200 are lower. So that's those two things are a little 0:50:21.200 --> 0:50:23.390 bit worse. And now let's say that that same Google 0:50:23.390 --> 0:50:25.790 group is actually the one that like your CEO is 0:50:25.790 --> 0:50:28.190 a member of, or you're like, finance guy is a 0:50:28.190 --> 0:50:31.850 member of. Now it's like even worse because it's like, okay, well, 0:50:31.850 --> 0:50:34.880 if I want to like do like a high profile attack, 0:50:34.880 --> 0:50:38.240 I have now a path into a VIP. So in 0:50:38.239 --> 0:50:41.360 Google Workspace today to get each of these three signals 0:50:41.360 --> 0:50:44.900 are different API calls. Um, and you have to kind 0:50:44.900 --> 0:50:47.810 of correlate them together and write your own detection in 0:50:47.810 --> 0:50:49.550 the future. What we want to do with material is 0:50:49.550 --> 0:50:52.550 like basically have our threat research team come up with 0:50:52.550 --> 0:50:55.820 a lot of these common scenarios that we see express 0:50:55.820 --> 0:50:58.550 them as detections that just come out of the box 0:50:58.550 --> 0:51:02.300 and help you really attack these and, and leverage the 0:51:02.300 --> 0:51:04.970 fact that we have the content access, but we also 0:51:04.969 --> 0:51:09.080 have the, uh, settings and log data access, because when 0:51:09.080 --> 0:51:11.450 you can put those three things together, that's where like 0:51:11.450 --> 0:51:14.419 you can build some really high signal detections. One big 0:51:14.420 --> 0:51:16.759 problem with Cspm, since we were talking about them in 0:51:16.760 --> 0:51:21.200 the past, is a long time, uh, ago, like people 0:51:21.200 --> 0:51:22.910 kind of almost gave up on them because they used 0:51:22.910 --> 0:51:26.000 to have so much noise. Right? It's like it was untenable. 0:51:26.000 --> 0:51:28.550 It's like you go in, it's like million issues detected 0:51:28.550 --> 0:51:30.230 and you're like, great, I'm never going to do anything 0:51:30.230 --> 0:51:32.960 about this. What I think the modern Cspm did a 0:51:32.960 --> 0:51:35.300 really good job with, you know, like, I'm like, thinking of, like, 0:51:35.300 --> 0:51:38.350 The Wiz or Orca's of the world. Is. He said, well, 0:51:38.469 --> 0:51:40.570 actually we are going to have a million issues, but 0:51:40.570 --> 0:51:43.870 out of those million, there's probably 40 that you really, really, 0:51:43.870 --> 0:51:47.410 really need to address. And those are like these, uh, 0:51:47.410 --> 0:51:49.750 those are those like attack paths, the ones that like, 0:51:49.750 --> 0:51:53.259 correlate 3 or 4 different things together, and they raise 0:51:53.260 --> 0:51:56.200 the severity of that detection. Um, I think it's a 0:51:56.200 --> 0:51:58.060 really smart model. And I think it's kind of what 0:51:58.060 --> 0:52:01.180 we want to do on the, on the, uh, workspace side. 0:52:02.060 --> 0:52:05.330 Yeah, I love that. I feel like everything is going 0:52:05.480 --> 0:52:10.160 eventually towards this, uh, inevitable place, which is gather all 0:52:10.160 --> 0:52:12.500 the context and point intelligence at it. 0:52:12.500 --> 0:52:14.180 Yeah. Right. 0:52:14.180 --> 0:52:17.750 And so I love the fact that you're bringing together 0:52:17.750 --> 0:52:21.050 all that different context, the state of the configuration of 0:52:21.050 --> 0:52:21.980 the platform. 0:52:21.980 --> 0:52:22.460 Yes. 0:52:22.460 --> 0:52:26.779 The things you're concerned about, actual logs plus threat intelligence. 0:52:26.780 --> 0:52:28.310 Now you've got a real picture. 0:52:28.310 --> 0:52:31.850 Exactly. And this was kind of the promise of XDR 0:52:31.850 --> 0:52:35.180 or whatever. But I think that the, the challenge is 0:52:35.180 --> 0:52:36.860 that like if you try to do it for all 0:52:36.860 --> 0:52:40.759 security across all platforms, it really does feel like a 0:52:40.760 --> 0:52:44.450 gnarly kind of untenable problem. So where I think people 0:52:44.450 --> 0:52:46.820 have done a good job is where they've kind of 0:52:46.820 --> 0:52:50.120 carved a boundary so that they can focus and kind 0:52:50.120 --> 0:52:52.760 of go deep. Uh, the thing that I think hasn't 0:52:52.760 --> 0:52:54.950 worked is when you kind of create like a very 0:52:54.950 --> 0:52:57.020 horizontal products that are a mile wide and an inch 0:52:57.020 --> 0:53:00.620 deep because they just can't really get to the to 0:53:00.620 --> 0:53:02.630 the true insights, and they end up just spamming you 0:53:02.630 --> 0:53:04.790 with something that's like, yes, it's a risk, but is 0:53:04.790 --> 0:53:06.950 it really your top priority? And you just, you know, 0:53:06.950 --> 0:53:09.980 I've talked to some CISOs who talk about those products, uh, 0:53:09.980 --> 0:53:12.350 as like kind of report card products where it's like, 0:53:12.350 --> 0:53:14.420 let's just make you feel bad, you know, and it's like, yeah, yeah, 0:53:14.690 --> 0:53:17.960 like much to do. I think what, what we are 0:53:17.960 --> 0:53:20.569 interested in is trying to find the balance between, yeah, 0:53:20.570 --> 0:53:23.510 broadened beyond email, but kind of still focus really on 0:53:23.510 --> 0:53:26.150 this productivity suite so that you can still go deep 0:53:26.150 --> 0:53:29.270 and not get overextended. Um, and it's a it's a 0:53:29.270 --> 0:53:32.299 tricky balance, but I think like that kind of going 0:53:32.300 --> 0:53:36.290 into the full XDR thing is probably a little too broad. Yeah. 0:53:37.040 --> 0:53:37.820 Well, cool. 0:53:37.820 --> 0:53:40.460 Where can people learn more about material? 0:53:40.760 --> 0:53:44.330 Yeah. Head over to material Dot security. We try to, 0:53:44.360 --> 0:53:46.910 you know, explain what we do in really simple terms. 0:53:46.910 --> 0:53:49.730 There's like videos and stuff that show how the product works. 0:53:49.730 --> 0:53:52.820 So that's the best way to learn about material and 0:53:53.000 --> 0:53:54.680 reach out if you'd like to learn more. 0:53:55.070 --> 0:53:57.350 Awesome. Well, I love the approach. I love the way 0:53:57.350 --> 0:53:59.990 you're thinking about this. It's exactly the way that I 0:53:59.989 --> 0:54:03.020 would approach this. Awesome. So I really, really great to 0:54:03.020 --> 0:54:05.870 hear it. And, uh, I enjoyed the conversation. 0:54:05.870 --> 0:54:07.610 Yeah. Me too. Thank you so much. 0:54:07.760 --> 0:54:09.770 All right. Take care. See you.