WEBVTT - A Conversation with Patrick Duffy from Material Security 0:00:00.880 --> 0:00:05.040 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:05.080 --> 0:00:10.000 national security, AI, technology and society, and how best to 0:00:10.039 --> 0:00:18.479 upgrade ourselves to be ready for what's coming. All right, Patrick, 0:00:18.480 --> 0:00:20.000 welcome to Unsupervised Learning. 0:00:20.480 --> 0:00:21.880 Thanks, Daniel. Pleasure to be here. 0:00:23.520 --> 0:00:28.760 Yeah. So, um, last time I chatted with, uh, material, um, 0:00:28.800 --> 0:00:33.160 I spoke with Abhishek. We had a really interesting conversation, and, uh, 0:00:33.200 --> 0:00:35.120 what I really took away from that, that I found 0:00:35.120 --> 0:00:38.839 so interesting was like this focus on because I asked. 0:00:38.880 --> 0:00:41.840 I asked about, uh, detective controls, and he's like, yeah, 0:00:41.840 --> 0:00:44.639 it's not so much about detection. It's more about like 0:00:44.920 --> 0:00:49.479 putting on the seatbelts and preventative controls, like what happens 0:00:49.479 --> 0:00:52.880 after a breach. How do you limit the blast radius? Um, 0:00:53.280 --> 0:00:56.520 and I thought that was a really interesting characterization. Is 0:00:56.520 --> 0:00:58.080 that the way you think about it as well? 0:00:58.440 --> 0:01:01.210 Yeah, that's certainly a large part of it. And, you know, 0:01:01.250 --> 0:01:03.090 when I think about what we're doing here at material, 0:01:03.090 --> 0:01:06.250 it's actually the the seat belts, but also the brakes 0:01:06.250 --> 0:01:09.170 as well, and picking up on the accidents before they happen. 0:01:09.569 --> 0:01:11.810 So that's where we're heading as a, as a company of, 0:01:11.970 --> 0:01:14.649 you know, not only doing the threat detection, making sure 0:01:14.650 --> 0:01:17.770 that if and when something does does go kind of sideways, 0:01:17.770 --> 0:01:21.010 we can stop that and prevent as much impact as 0:01:21.010 --> 0:01:21.490 we can. 0:01:23.490 --> 0:01:29.450 Yeah. That's fantastic. Um, so before we jump into the 0:01:29.450 --> 0:01:32.250 product more deeply, uh, what types of stuff are you 0:01:32.250 --> 0:01:36.850 seeing out there? Like, what types of threats are you seeing? Uh, attacks. Like, 0:01:36.850 --> 0:01:39.130 where are the attackers doing currently? 0:01:39.250 --> 0:01:41.610 Yeah. So one of the things we're seeing, uh, you know, 0:01:41.770 --> 0:01:43.890 not going to be surprising, I think, to your audience, 0:01:43.930 --> 0:01:47.170 is a lot of inbound phishing threats that are hitting organizations. 0:01:47.170 --> 0:01:49.930 We know that that is a pretty, uh, popular entry 0:01:49.930 --> 0:01:53.690 point into a lot of the infrastructure for teams. And 0:01:53.690 --> 0:01:56.450 so we see that pretty frequently. But also, you know, 0:01:56.490 --> 0:01:58.930 one of the things that is, I think, Underlooked, when 0:01:58.930 --> 0:02:01.190 it comes to the cloud office. Is that lateral movement 0:02:01.190 --> 0:02:04.630 across the cloud office? Right. So if you think about 0:02:04.630 --> 0:02:08.790 the credentials for Google Workspace or M365, it's a pretty 0:02:08.790 --> 0:02:12.669 valuable piece of information for the attacker, because for any 0:02:12.990 --> 0:02:15.829 employee at an organization, it's the first thing that they 0:02:15.830 --> 0:02:17.990 get when they onboard and the last thing that they 0:02:17.990 --> 0:02:20.790 have when they off right before they off board. So 0:02:20.950 --> 0:02:22.830 that's usually the keys to the kingdom when it comes 0:02:22.830 --> 0:02:26.269 to not only other tools, but also within the organization. 0:02:26.270 --> 0:02:28.630 So you can move pretty freely once you have access 0:02:28.910 --> 0:02:32.709 to somebody's email credentials, to head across the shared drives 0:02:32.710 --> 0:02:35.150 and all that sensitive information, which can be pretty damaging 0:02:35.150 --> 0:02:37.030 as we've seen with past breaches. 0:02:38.150 --> 0:02:40.550 Yeah, so that makes sense. So it's not only access 0:02:40.550 --> 0:02:43.790 to email, but like you said, it's Google Docs, it's drives. 0:02:43.790 --> 0:02:47.149 It's um, I mean, that's the power of the ecosystem 0:02:47.389 --> 0:02:50.390 is that you can move around, right. So that same 0:02:50.470 --> 0:02:52.669 same advantage is for the attacker. 0:02:52.710 --> 0:02:53.230 Yeah. And it's. 0:02:53.230 --> 0:02:53.590 Also. 0:02:53.790 --> 0:02:55.910 Sorry I just want to jump in as well. It's interesting. Right. 0:02:55.910 --> 0:02:58.590 Because it's such a collaboration tool. It's also a challenge 0:02:58.590 --> 0:03:01.160 for security teams. And one of the problems and challenges 0:03:01.160 --> 0:03:04.000 we're seeing is trying to not be just the Department 0:03:04.000 --> 0:03:07.840 of No, but of facilitating collaboration across security, IT and 0:03:07.840 --> 0:03:10.360 their other colleagues. So you can't just shut down email, 0:03:10.360 --> 0:03:12.799 you can't just shut down access to drive. You have 0:03:12.800 --> 0:03:16.040 to rightsize who gets access to what and when. And 0:03:16.040 --> 0:03:17.720 so we have a lot of tools to help support 0:03:17.720 --> 0:03:18.839 that for our customers. 0:03:20.400 --> 0:03:23.120 Okay. So what does that look like? Is that a 0:03:23.120 --> 0:03:26.840 specific product for the Google space or what is that. 0:03:26.880 --> 0:03:28.840 Yeah. So it's a capability that comes with our product 0:03:28.840 --> 0:03:31.480 out of the box where we're able to enable just 0:03:31.480 --> 0:03:35.080 in time access and toufar controls for sensitive documents and 0:03:35.120 --> 0:03:37.520 documents that have basically aged out of a grace period. 0:03:37.520 --> 0:03:40.200 And so you can say, you know, within two weeks, 0:03:40.200 --> 0:03:42.840 let's put a toufar block on anything that has financial 0:03:42.840 --> 0:03:45.840 information across the organization or for these subsets of users. 0:03:45.840 --> 0:03:49.480 Let's put Toufar behind all historical emails in their inbox. 0:03:49.480 --> 0:03:52.600 So if a hacker does get access to their credentials, 0:03:52.600 --> 0:03:56.080 they can't just run wild and export data with sensitive information, 0:03:56.080 --> 0:04:00.330 proprietary information, things that could lead to real, substantial harm 0:04:00.330 --> 0:04:04.490 to an organization either reputationally or from a business impact perspective. 0:04:06.490 --> 0:04:11.330 I find this whole concept really, really cool. So so again, 0:04:11.330 --> 0:04:13.850 it's not about a sensor. It's not about, oh, I 0:04:13.890 --> 0:04:17.810 detected this. Let me make this change. It's like, look, 0:04:17.810 --> 0:04:22.690 we have this giant lake or ecosystem of sensitive content 0:04:23.450 --> 0:04:27.170 and data, and there are things we could be doing 0:04:27.170 --> 0:04:32.570 right now. Like you said, time based that are just 0:04:32.610 --> 0:04:37.969 like tweaking the knobs for settings and lockdown and configurations. 0:04:38.490 --> 0:04:41.690 So I guess there's if I'm thinking about this from 0:04:41.730 --> 0:04:46.010 like a fundamental standpoint, there's like, um, things you have 0:04:46.010 --> 0:04:51.929 to lock down. There's identity you could use, there's granular permissions. 0:04:52.410 --> 0:04:57.250 And so the product seems to be like just deciding 0:04:57.250 --> 0:05:00.230 what ideal might look like or something like that, and 0:05:00.230 --> 0:05:03.070 just going in and making those tweaks kind of on 0:05:03.070 --> 0:05:04.870 a continuous basis. Is that right? 0:05:04.910 --> 0:05:08.309 Yeah, it's on a continuous basis. And it's also contextually aware. Right. 0:05:08.310 --> 0:05:10.750 So you have to be able to understand where your 0:05:10.750 --> 0:05:13.909 employees are logging in from at an individual level on 0:05:13.910 --> 0:05:15.990 the regular, you know, on a regular basis. Because if 0:05:15.990 --> 0:05:18.510 I'm logging in from the East coast of the United 0:05:18.510 --> 0:05:22.070 States regularly and then you see a login from, you know, 0:05:22.110 --> 0:05:25.190 somewhere in Western Europe or around the globe where I'm 0:05:25.190 --> 0:05:28.430 not usually that should raise some alarms, right? And you 0:05:28.710 --> 0:05:31.470 might have some tools that will kind of flag that, 0:05:31.470 --> 0:05:33.990 but that might be in isolation. And same thing with 0:05:33.990 --> 0:05:36.750 your DLP tool like oh there are some sensitive searches happening, 0:05:36.750 --> 0:05:39.230 but that will happen in isolation. And you really need 0:05:39.230 --> 0:05:41.310 a tool that will help connect the dots of saying, 0:05:41.550 --> 0:05:44.550 we noticed a login and then we noticed some suspicious activity, 0:05:44.550 --> 0:05:47.630 and then we noticed some data exfiltration happening. Or, you know, 0:05:47.670 --> 0:05:49.630 for us, the ideal state of what we're building for 0:05:49.670 --> 0:05:51.950 is that whole throughput of, you know, if there's a 0:05:51.990 --> 0:05:55.070 novel attack happening via the inbox and the email threats 0:05:55.070 --> 0:05:58.240 that we're seeing and that, you know, a user might 0:05:58.240 --> 0:06:00.360 click through something or go to a login page that 0:06:00.360 --> 0:06:02.359 has a credential harvester of knowing that they got a 0:06:02.360 --> 0:06:06.160 suspicious email, and then they click through. And then we 0:06:06.160 --> 0:06:09.760 saw the suspicious login and then the weird anomalous activity 0:06:09.760 --> 0:06:12.680 being able to connect those dots together. Because what I've 0:06:12.680 --> 0:06:14.920 seen in my experience is point to do a pretty 0:06:14.920 --> 0:06:18.080 good job of picking up those individual data points. But 0:06:18.120 --> 0:06:21.160 it's taking a step back and seeing the full mosaic, 0:06:21.360 --> 0:06:24.719 so to speak, and having a clear understanding is that's 0:06:24.720 --> 0:06:27.040 where there's steam. Teams are still having a lot of 0:06:27.040 --> 0:06:29.560 trouble and, you know, doing a lot of work themselves 0:06:29.560 --> 0:06:31.200 that they don't necessarily need to. 0:06:32.320 --> 0:06:36.440 Okay. So let me rethink then. So so you are 0:06:36.440 --> 0:06:41.440 doing some uh, current context analysis of like what's currently 0:06:41.440 --> 0:06:44.440 going on. So I guess that is so what are 0:06:44.440 --> 0:06:47.239 the sources for that. What are you able to see. 0:06:47.240 --> 0:06:51.120 Is that all within like a Google Workspace, the logs 0:06:51.120 --> 0:06:53.760 that you're using or is that other. Do you have 0:06:53.800 --> 0:06:56.280 other telemetry other signal from other systems? 0:06:56.320 --> 0:07:00.730 Yeah. So uh, Google Workspace or Microsoft 365 or certainly 0:07:00.770 --> 0:07:02.930 it's a pretty big source of data for us. We 0:07:02.930 --> 0:07:07.010 also do in incorporate other third party intelligence tools that 0:07:07.010 --> 0:07:10.330 you would expect for a security product. Um, that really 0:07:10.330 --> 0:07:12.890 allows us to say, you know, once we see something 0:07:12.970 --> 0:07:15.410 suspicious happening, let's put things on lockdown, let's make sure 0:07:15.410 --> 0:07:19.090 that things are, are right sized for in terms of access, 0:07:19.090 --> 0:07:21.490 or we can revoke access if we notice that there's 0:07:21.490 --> 0:07:24.489 an issue that's been raised of a user with a 0:07:24.530 --> 0:07:28.210 suspicious login and a file share to a third party 0:07:28.210 --> 0:07:30.770 that is, you know, basically unsanctioned. 0:07:32.010 --> 0:07:34.770 Okay, so so walk me through like a scenario here. 0:07:34.770 --> 0:07:37.690 So I think I think you were giving me an 0:07:37.690 --> 0:07:41.610 example earlier. So it's like, um, is it a strange 0:07:41.610 --> 0:07:44.410 time of night or a strange geo that the person 0:07:44.410 --> 0:07:47.090 logs in with, like what are the various triggers that 0:07:47.090 --> 0:07:48.330 could that can get this going? 0:07:48.370 --> 0:07:50.610 Yeah, it could be, uh, you know, noticing a pattern 0:07:50.650 --> 0:07:53.530 of successive failed logins. So if somebody's trying to brute 0:07:53.530 --> 0:07:55.970 force a password and then they finally get in, we 0:07:55.970 --> 0:07:59.590 might pop a notification that says, you know, user has 0:07:59.630 --> 0:08:02.190 a login from a, you know, after a suspicious or 0:08:02.310 --> 0:08:06.030 brute force attempt. Um, and then we saw anomalous search 0:08:06.030 --> 0:08:10.150 activity on the drive. And then the administrators can, within 0:08:10.150 --> 0:08:12.750 our product, have already set up some automation that will 0:08:12.750 --> 0:08:15.830 say revoke external access to that, to those files that 0:08:15.830 --> 0:08:19.510 are being shared after that suspicious search. And so you 0:08:19.510 --> 0:08:22.670 can automatically with our product say, you know, once you've 0:08:22.670 --> 0:08:26.270 seen 1 in 2, go do the third thing automatically 0:08:26.270 --> 0:08:28.830 to revoke the access. And therefore the data shouldn't be 0:08:28.830 --> 0:08:33.309 leaving the building. Um, for anybody outside of the registered domains. 0:08:33.830 --> 0:08:38.069 Okay. So those are pre-set up. So those are preventative. Yep. Uh, 0:08:38.110 --> 0:08:41.230 is there anything that's like dynamically happening uh, to like, 0:08:41.230 --> 0:08:43.150 dynamically write some of those rules? 0:08:43.510 --> 0:08:45.470 Um, so our team is we have a team of 0:08:45.470 --> 0:08:48.670 three researchers, and we also use AI. As you know, 0:08:48.670 --> 0:08:52.230 a lot of the companies are today, um, to analyze 0:08:52.230 --> 0:08:54.310 our rule sets and make sure that we're really being 0:08:54.309 --> 0:08:57.640 really precise with, um, the roles that we're writing, but 0:08:57.640 --> 0:09:00.720 also our customers can come in and write the custom 0:09:00.720 --> 0:09:03.839 rules based off of very specific threats that they're thinking about, 0:09:03.840 --> 0:09:07.000 or wanting to be proactive around data sets that isn't 0:09:07.040 --> 0:09:11.320 necessarily super sensitive, but important to their organization. You know, 0:09:11.360 --> 0:09:13.800 an example that we, you know, we've seen a couple 0:09:13.800 --> 0:09:16.480 of times is around some notes for board meetings where 0:09:16.720 --> 0:09:19.120 there might not be sensitive information in there, per se, 0:09:19.160 --> 0:09:22.480 but you don't want those getting out. And so customers 0:09:22.480 --> 0:09:24.760 can set up rules for saying, you know, if it 0:09:24.760 --> 0:09:28.560 goes to X, y, z domain or XYZ email address, 0:09:28.800 --> 0:09:32.120 you know, let's put that behind the toufar. Um, for 0:09:32.120 --> 0:09:34.040 any access for that document. 0:09:35.360 --> 0:09:39.480 Yeah, that makes sense. And are there different, um, sets 0:09:39.520 --> 0:09:42.360 of templates. So like if there's a particular customer that 0:09:42.360 --> 0:09:45.559 comes on, is there like a threat model for that 0:09:45.559 --> 0:09:47.960 particular kind of customer where they would want to install 0:09:47.960 --> 0:09:50.959 a whole bunch of these preventative things, like all as, 0:09:51.000 --> 0:09:52.280 like a group or a cluster? 0:09:52.640 --> 0:09:55.120 Um, not today. One of the things we are thinking 0:09:55.120 --> 0:09:58.890 about and engaging in conversations with our customers with is 0:09:59.090 --> 0:10:01.490 really trying to rightsize what that looks like based off 0:10:01.490 --> 0:10:04.010 of the threat plane. Um, so, you know, we work 0:10:04.010 --> 0:10:07.010 with financial services companies and we're seeing something, but that's 0:10:07.010 --> 0:10:11.089 also fairly similar to healthcare. Um, and so we're starting to, 0:10:11.130 --> 0:10:13.970 to group things like that. Um, you know, if it's a, 0:10:14.010 --> 0:10:16.929 you know, an upcoming SaaS startup with a small security 0:10:16.970 --> 0:10:19.090 team that's a different set of profiling that they want 0:10:19.130 --> 0:10:21.570 to do. And so, um, you know, we're starting to, 0:10:21.610 --> 0:10:24.170 to work towards that. Um, and that's definitely an evolution 0:10:24.170 --> 0:10:25.250 of our product that's coming. 0:10:26.690 --> 0:10:31.370 Okay. But when somebody onboards what what all gets turned 0:10:31.370 --> 0:10:35.090 on automatically, is it a number of. Yeah. These preventative 0:10:35.090 --> 0:10:38.010 controls are already just by default there. Right. 0:10:38.050 --> 0:10:41.410 Yeah. So we have, um, you know, in the hundreds 0:10:41.410 --> 0:10:44.450 of rules at this point between our email and cloud office. 0:10:44.570 --> 0:10:47.370 Um threat suite, um, that are on by default when 0:10:47.370 --> 0:10:50.130 somebody signs up for material. So this includes things like 0:10:50.130 --> 0:10:52.689 all of our inbound threat email threat detection rules, but 0:10:52.690 --> 0:10:56.790 also suspicious file shares. um, you know, alerting to risky 0:10:56.790 --> 0:10:59.990 configurations as well inside of the workspace. So, you know, 0:11:00.030 --> 0:11:01.790 the way we're thinking about this in terms of an 0:11:01.830 --> 0:11:05.150 analogy is something like EDR for the cloud office or, 0:11:05.470 --> 0:11:08.230 you know, using an example for, you know, it's been 0:11:08.230 --> 0:11:11.150 the headlines over the last week was for Google Workspace. 0:11:11.510 --> 0:11:13.270 And so thinking about how do we give that full 0:11:13.270 --> 0:11:16.870 visibility and rule set for customers and their teams to 0:11:16.910 --> 0:11:19.470 be able to really identify where there's the most risk 0:11:19.470 --> 0:11:21.390 and then remediate it out of the box? 0:11:22.750 --> 0:11:26.270 Yeah, that makes sense. So it sounds like you're you're 0:11:26.270 --> 0:11:30.550 very much focused on this, uh, type of functionality. But 0:11:30.550 --> 0:11:32.070 what are some of the attacks that you're seeing in 0:11:32.070 --> 0:11:32.750 that space? 0:11:33.190 --> 0:11:36.590 Um, yeah. So it's, um, you know, some of the 0:11:36.590 --> 0:11:38.750 malicious actors are still, you know, phishing, trying to get 0:11:38.750 --> 0:11:42.030 the credentials, but also it's the inadvertent sharing. Um, so 0:11:42.030 --> 0:11:44.550 it's not necessarily an attack, but it's risk to the 0:11:44.550 --> 0:11:48.790 organization of a lot, you know, employees sharing sensitive documents 0:11:48.790 --> 0:11:51.430 to be set to anyone with a link can see 0:11:51.429 --> 0:11:54.600 it and just public shares where, you know, data leakage 0:11:54.600 --> 0:11:57.040 like that can be pretty damaging for organizations. And so 0:11:57.080 --> 0:11:59.400 that's that's an area where we've seen a surprisingly high 0:11:59.440 --> 0:12:02.160 number of issues being raised by our product so far 0:12:02.200 --> 0:12:05.520 of sensitive documents being shared to the entire world. 0:12:06.600 --> 0:12:11.719 Yeah, I love that. I love the fact that it 0:12:11.720 --> 0:12:16.760 doesn't have to be like, um, a front page news 0:12:16.760 --> 0:12:20.120 article like Sexy Attacker that's doing the damage. It could 0:12:20.120 --> 0:12:24.319 be the benign user who just made a mistake. And 0:12:24.640 --> 0:12:27.719 because both of those are risks, both of those are 0:12:27.720 --> 0:12:29.040 handled via rules, right? 0:12:29.080 --> 0:12:30.400 Yep. Exactly. 0:12:31.880 --> 0:12:35.800 Yeah. Awesome. What are some other, um, abuse cases? Uh, 0:12:35.800 --> 0:12:39.720 not so much attacker based, but, um, like, what are 0:12:39.720 --> 0:12:41.920 some of the other pieces that the rules cover? 0:12:41.960 --> 0:12:45.120 Yeah. So it's things like, uh, best practice configuration for 0:12:45.120 --> 0:12:48.720 the cloud office. So, you know, one example that, um, 0:12:49.120 --> 0:12:54.130 I have is organizations that might set group moderation settings 0:12:54.130 --> 0:12:58.490 to be able to be interacted with externally. And so 0:12:58.490 --> 0:13:00.130 if we think about that, right. So if you have 0:13:00.130 --> 0:13:05.090 a group of VIPs, if, if that group is externally visible, 0:13:05.090 --> 0:13:08.850 somebody can then just email bomb campaign, their VIP team 0:13:08.890 --> 0:13:11.370 or you know, their, their C-suite. And so that is 0:13:11.410 --> 0:13:13.890 can be hugely disruptive to businesses. If there's all of 0:13:13.890 --> 0:13:17.450 a sudden a DDoS campaign on the inbox because they're, 0:13:17.610 --> 0:13:20.250 you know, a group of malicious actors is actually just 0:13:20.290 --> 0:13:23.170 spamming the inbox and filling it up. Um, so that's, 0:13:23.210 --> 0:13:25.690 you know, that's another thing we've seen quite a few times, actually, 0:13:25.690 --> 0:13:29.650 where some moderation settings weren't quite, uh, optimized. And then 0:13:29.890 --> 0:13:33.569 from there, their executives, uh, inboxes were just totally filled 0:13:33.570 --> 0:13:35.730 up because of a harassment campaign. 0:13:37.730 --> 0:13:41.210 Okay, so, so humor me on this. Um, I'm trying 0:13:41.210 --> 0:13:43.770 to think of all the different granular controls you could 0:13:43.770 --> 0:13:48.090 possibly do. Um, so, so what are some of the 0:13:48.490 --> 0:13:51.930 some of the control points you could prompt for MFA 0:13:51.929 --> 0:13:57.070 if you see something suspicious. Um, you could remove access via, like, 0:13:57.110 --> 0:14:00.390 an ACL type control. You could have, like, a time 0:14:00.429 --> 0:14:02.950 based control if, like, something is outside of a certain 0:14:02.950 --> 0:14:08.790 time window. Yep. Um, what's another signal? Geo based signal? 0:14:08.830 --> 0:14:11.230 Yeah. So based off of IP address where we're seeing 0:14:11.230 --> 0:14:14.590 the logins. Um, also who they share with usually versus 0:14:14.670 --> 0:14:16.990 who they're sharing with in frequency of shares is something 0:14:16.990 --> 0:14:19.350 we're looking at. And so you know, we look for 0:14:19.350 --> 0:14:21.710 not only like the anomalous search and activity within the drive, 0:14:21.750 --> 0:14:25.229 but are you starting to email folks within your organization 0:14:25.230 --> 0:14:27.870 that you don't normally email. Right. So those sort of pattern. 0:14:27.910 --> 0:14:28.510 There you go. 0:14:28.710 --> 0:14:33.110 Outside of, you know, outside of the normal, um, kind 0:14:33.110 --> 0:14:35.590 of I would say, you know, kind of base level 0:14:36.510 --> 0:14:39.750 data points of picking up where real anomalies that this 0:14:39.750 --> 0:14:42.030 is unusual for a user based off of what we 0:14:42.030 --> 0:14:42.910 usually see. 0:14:44.150 --> 0:14:47.590 And how about like a classification or a content type. 0:14:47.630 --> 0:14:49.350 Are you able to see anything like that? 0:14:49.390 --> 0:14:52.920 Yeah. So we classify everything in the drive based off 0:14:52.920 --> 0:14:55.040 of the type of information that's there. So we pick 0:14:55.080 --> 0:14:59.120 up on things like Social Security numbers, financial information. Customers 0:14:59.120 --> 0:15:03.640 can also add additional custom tags for things like proprietary information. 0:15:03.960 --> 0:15:06.640 And so you know and that integrates directly with Google 0:15:06.640 --> 0:15:09.440 Workspace where, you know, if somebody puts that tag on 0:15:09.440 --> 0:15:12.400 a document, we'll obviously pick it up and then some. 0:15:12.520 --> 0:15:14.720 The security team can then remediate and protect it as, 0:15:14.760 --> 0:15:15.480 as they want. 0:15:16.960 --> 0:15:24.480 Okay. And then you mentioned particular drives internally. What what 0:15:24.480 --> 0:15:28.320 about threat intelligence on or at least basic threat intelligence 0:15:28.320 --> 0:15:32.840 on like oh, it's pastebin. Uh, this very sensitive thing 0:15:32.840 --> 0:15:35.760 is being put on pastebin, which everyone knows is like 0:15:35.760 --> 0:15:38.000 a dump site. Is that the type of thing you 0:15:38.000 --> 0:15:38.920 can get signal from? 0:15:38.960 --> 0:15:41.640 Yeah, yeah, we're pulling in, um, you know, things like 0:15:41.640 --> 0:15:44.000 that of, you know, have I been owned? Uh, sorts 0:15:44.000 --> 0:15:46.040 of websites of being able to pull that Intel for 0:15:46.040 --> 0:15:48.920 accounts and other sorts of information. Um, you know, we're 0:15:48.920 --> 0:15:54.050 also looking out for, um, Impersonation campaigns on login site 0:15:54.090 --> 0:15:57.010 login sites. So, um, you know, taking kind of the 0:15:57.010 --> 0:16:02.130 IP and um, other information from customer, an organization profile 0:16:02.130 --> 0:16:03.970 and how malicious actors are using it and try and 0:16:03.970 --> 0:16:04.890 protect against that. 0:16:06.890 --> 0:16:10.650 Yeah, that's really cool. Okay. So you said you have 0:16:10.650 --> 0:16:15.770 like hundreds of rules. That's that's the basic, uh, magnitude there. 0:16:16.450 --> 0:16:19.730 And that would be these various combinations of these different 0:16:19.730 --> 0:16:22.410 signals combined with the different control point. Right. 0:16:22.450 --> 0:16:23.410 Yep. Exactly. 0:16:23.490 --> 0:16:31.770 Um, interesting. Yeah. Any, um, any other thoughts on, um, 0:16:32.090 --> 0:16:36.690 the functionality here or the types of attacks that it's, uh, detecting? 0:16:37.210 --> 0:16:40.330 Um, really the thing that I'm excited about that we're 0:16:40.330 --> 0:16:42.970 picking up on and helping protect against is really the 0:16:43.090 --> 0:16:46.490 lateral movement across the workspace while not getting in the 0:16:46.490 --> 0:16:50.210 way of productivity for the organizations. Because, you know, I 0:16:50.250 --> 0:16:52.430 you know, I've been in security for a few years now. And, 0:16:52.470 --> 0:16:54.350 you know, one of the things that's, um, you know, 0:16:54.390 --> 0:16:58.630 really interesting to see is how passionate security professionals are 0:16:58.670 --> 0:17:00.910 about trying to stop the threat, but also how afraid 0:17:00.910 --> 0:17:03.310 they are of getting in the way of business operations. 0:17:03.670 --> 0:17:05.230 And I've seen a little bit of a gun shy 0:17:05.270 --> 0:17:07.229 mentality at times of like, hey, should I go do 0:17:07.230 --> 0:17:09.869 this remediation? Should I, you know, cut off this box 0:17:09.869 --> 0:17:12.470 from the internet? Well, I know that the attacker is there, 0:17:12.470 --> 0:17:14.270 so yes, you should. But I also know that this 0:17:14.270 --> 0:17:16.870 is a pretty important laptop, right? And so being able 0:17:16.869 --> 0:17:19.350 to then connect the dots of this lateral movement. And 0:17:19.390 --> 0:17:22.510 now the office where everyone is working, uh, you know, 0:17:22.550 --> 0:17:24.710 in the cloud, it's, it's pretty cool to be able 0:17:24.710 --> 0:17:26.590 to then say like, hey, we are actually with pretty 0:17:26.590 --> 0:17:31.390 high fidelity picking up the suspicious login, the suspicious drive activity, 0:17:31.390 --> 0:17:33.350 and then shutting it down in a way that the 0:17:33.350 --> 0:17:36.510 user might not even realize how they're being protected at 0:17:36.510 --> 0:17:38.030 the end of the day, because we're not kicking them 0:17:38.030 --> 0:17:41.669 out of their session immediately. We're protecting the the data first, 0:17:41.670 --> 0:17:43.750 and then allowing the security team to then go follow 0:17:43.750 --> 0:17:45.149 up and say with the user like, hey, just so 0:17:45.150 --> 0:17:47.270 you know, we've been compromised, we're going to shut down, 0:17:47.310 --> 0:17:48.990 you know, revoke access to your account for a second. 0:17:48.990 --> 0:17:52.119 We'll do a password reset, which we can also support. 0:17:52.359 --> 0:17:54.440 And so that's all within the realm of being able 0:17:54.440 --> 0:17:58.240 to really work collaboratively, collaboratively with colleagues for security team 0:17:58.240 --> 0:18:01.360 versus just coming in and being a disruptive force for 0:18:01.359 --> 0:18:02.320 the organization. 0:18:03.600 --> 0:18:06.600 Yeah. Interesting. So what does that interaction look like? How 0:18:06.640 --> 0:18:11.080 do you let them know or how does that interaction 0:18:11.080 --> 0:18:14.720 happen when you feel like you're dealing with something that's 0:18:14.720 --> 0:18:18.119 live and like has to be dealt with right now? Um, 0:18:18.160 --> 0:18:21.560 so are you, uh, is it a text platform? Is 0:18:21.560 --> 0:18:24.200 it an email or like, how are they getting that? 0:18:24.240 --> 0:18:27.920 Yeah. So our customers can integrate us into their entire workflow. 0:18:27.920 --> 0:18:31.000 So we integrate with tools like Pagerduty, slack. You know, 0:18:31.040 --> 0:18:34.200 we integrate with tools like tines. And so any automation 0:18:34.200 --> 0:18:36.919 workflow that will then take that signal from us and 0:18:36.920 --> 0:18:39.480 you can run with it automatically is something we support. 0:18:39.480 --> 0:18:42.080 And so, you know, for security teams, they can sign 0:18:42.080 --> 0:18:44.560 up for a slack notification when they get a high 0:18:44.600 --> 0:18:47.480 or critical alert from us. And that'll drop into their, 0:18:47.520 --> 0:18:49.600 you know, security team channel that they may have configured 0:18:49.600 --> 0:18:52.770 for material inside of their workspace, inside of their slack workspace. 0:18:53.369 --> 0:18:55.689 And then from there they can, you know, decide to 0:18:55.690 --> 0:18:57.850 action it. They can let their automation tool take care 0:18:57.850 --> 0:18:59.850 of it, or they can reach out out of band 0:18:59.850 --> 0:19:02.410 for their, you know, for their colleagues, of letting them know, like, hey, like, 0:19:02.450 --> 0:19:05.250 we know we've protected the document. That's cool. We now 0:19:05.250 --> 0:19:07.730 need to reset, you know, the password, and we'll make 0:19:07.730 --> 0:19:09.330 sure that you do that in a timely manner. 0:19:10.410 --> 0:19:13.290 That makes sense. And when you talk about the lateral 0:19:13.290 --> 0:19:17.330 movement piece, give me an example of, um, you talking 0:19:17.330 --> 0:19:22.730 about an active attacker doing that or are you talking about. Um, yeah. Exactly. 0:19:22.730 --> 0:19:24.290 What do you mean by the lateral movement? 0:19:24.330 --> 0:19:26.649 Yeah. So it is an active attacker. So once, you know, 0:19:26.690 --> 0:19:30.050 credentials have been, you know, stolen and somebody is able 0:19:30.050 --> 0:19:32.570 to log into an organization, you know, that might not 0:19:32.570 --> 0:19:35.930 have MFA or they've bypassed MFA. Once we start seeing 0:19:35.930 --> 0:19:39.770 that anomalous login or the anomalous search activity, we'll be 0:19:39.810 --> 0:19:43.730 able to then shut down the the attack by putting 0:19:43.730 --> 0:19:47.410 everything behind the toufar for a customer at that moment. Or, um, 0:19:47.450 --> 0:19:49.970 you know, if that's already pre-configured as a general protection, 0:19:50.030 --> 0:19:51.310 They don't have to worry about that. 0:19:53.270 --> 0:19:56.230 Okay. Yeah that's interesting. So normally they would have been 0:19:56.230 --> 0:20:00.670 able to just pull up files from a given share. 0:20:01.109 --> 0:20:06.230 But because they did this sensitive activity that looks anomalous, 0:20:07.150 --> 0:20:10.390 it doesn't stop them, but it just puts up the 0:20:10.390 --> 0:20:13.870 toufar to just guarantee that they're actually who they say 0:20:13.869 --> 0:20:14.429 they are. 0:20:14.470 --> 0:20:17.149 Yeah, yeah. And customers can also dial this in to 0:20:17.190 --> 0:20:19.629 the severity that they wish. So you know, we have 0:20:19.630 --> 0:20:22.030 some customers that will say, you know what. As soon 0:20:22.030 --> 0:20:24.949 as we see this suspicious login, revoke the session, reset 0:20:24.950 --> 0:20:27.790 the password. You know, no matter what's going on with 0:20:27.790 --> 0:20:31.429 the okay. But other organizations will say, you know what? 0:20:31.470 --> 0:20:34.590 Like what I really care about is the sensitive documents 0:20:34.590 --> 0:20:36.630 and not being disruptive to my colleagues. And they have 0:20:36.630 --> 0:20:39.910 that configurability within the product where they can really set 0:20:39.910 --> 0:20:41.950 their threshold for how much risk they want to take 0:20:41.950 --> 0:20:45.070 on or disruption they want to bring to the organization. Because, 0:20:45.230 --> 0:20:48.550 you know, past lives, I've seen instances where the security 0:20:48.550 --> 0:20:52.080 team has found ransomware on a machine, and it happened 0:20:52.080 --> 0:20:53.880 to be for an executive who was about to give 0:20:53.880 --> 0:20:57.159 a board presentation. And so, you know, it's one of 0:20:57.160 --> 0:20:59.840 those like, situations where you really want to try and 0:20:59.840 --> 0:21:02.960 think about how your organization works and rightsize the response. 0:21:03.280 --> 0:21:05.239 And we're trying to enable that by picking up the 0:21:05.240 --> 0:21:08.800 signal all the way across the spectrum and allowing security 0:21:08.800 --> 0:21:11.040 teams to choose when is the right time for them 0:21:11.040 --> 0:21:14.359 to respond for specific sorts of threats within the product. 0:21:15.480 --> 0:21:20.560 Yeah. And like you said, to adjust the control set 0:21:20.560 --> 0:21:24.520 according to the risk appetite for that organization. Right. Um, yeah. 0:21:24.520 --> 0:21:27.879 I love the fact that you can switch right into 0:21:27.920 --> 0:21:32.600 ATO if, uh, the security team wants to, but if 0:21:32.760 --> 0:21:35.960 there's like a culture of like, no, that's too extreme. 0:21:36.400 --> 0:21:40.400 And that would make the security team look bad or whatever. 0:21:40.760 --> 0:21:45.000 We need a more gentle approach. Let's just prompt for, uh, MFA. 0:21:45.040 --> 0:21:47.760 Yeah, exactly. And, you know, one of the up and 0:21:47.760 --> 0:21:50.530 coming use cases that I've had some conversation with customers 0:21:50.530 --> 0:21:52.610 about that I think is is also pretty interesting, is 0:21:52.609 --> 0:21:57.370 around sharing of documents internally and starting to enable tools 0:21:57.369 --> 0:22:00.489 like Google's Gemini inside of the workspace. And so if 0:22:00.490 --> 0:22:04.090 there is sensitive information inside of a document that is 0:22:04.090 --> 0:22:07.370 unknowingly shared to everyone at the organization, that also means 0:22:07.369 --> 0:22:09.050 that Gemini can pick up on that. So that could 0:22:09.050 --> 0:22:13.210 include things like compensation and other bits of sensitive information 0:22:13.210 --> 0:22:16.770 that you might not want somebody to very easily query 0:22:16.770 --> 0:22:19.810 inside of Gemini. And so yeah, it may have been 0:22:19.810 --> 0:22:21.570 harder to find in the past, but now it becomes 0:22:21.609 --> 0:22:23.770 a lot easier to find with gen AI entering into 0:22:23.770 --> 0:22:25.530 the workspace a little more proactively. 0:22:26.450 --> 0:22:30.250 Okay. And and what is the, um, the signal pickup there? Like, 0:22:30.290 --> 0:22:32.970 how are we finding out what they're doing? 0:22:33.170 --> 0:22:34.970 Yeah. And so with that, we have a rule where 0:22:34.970 --> 0:22:38.090 it is, uh, document has sensitive information and it is 0:22:38.090 --> 0:22:39.730 shared with the entire organization. 0:22:40.690 --> 0:22:41.050 Okay. 0:22:41.130 --> 0:22:43.369 And so, you know, even something like that, a customer 0:22:43.369 --> 0:22:46.690 can then say, okay, you know, email the owner letting 0:22:46.690 --> 0:22:50.070 them know that they have this pretty over permissive sharing 0:22:50.109 --> 0:22:53.070 enabled for this file, and then give them six hours 0:22:53.070 --> 0:22:57.070 to remediate it. Otherwise then revoke access and set it 0:22:57.070 --> 0:22:57.750 to private. 0:22:58.790 --> 0:23:04.790 Okay. Yeah, that makes sense. Um. Anything new coming out soon? Any, uh, 0:23:04.790 --> 0:23:06.550 new functionality you're excited about? 0:23:06.630 --> 0:23:09.070 Uh, yeah. One of the things we'll be, uh, unveiling 0:23:09.070 --> 0:23:12.550 pretty soon is, uh, really more connective tissue across, you know, 0:23:12.550 --> 0:23:14.949 and continuing to evolve the threat, uh, and detection and 0:23:14.950 --> 0:23:18.510 response capabilities across the attack life cycle. So, um, as 0:23:18.550 --> 0:23:21.189 we're building out and maturing the product, we're focusing really 0:23:21.190 --> 0:23:23.670 on being able to connect the dots, you know, with 0:23:23.710 --> 0:23:26.990 even higher fidelity, more types of, um, use cases. So 0:23:27.030 --> 0:23:31.150 from broader DLP to inbound email threats, um, being able 0:23:31.150 --> 0:23:33.189 to really say, hey, this really does look like a 0:23:33.190 --> 0:23:36.030 problem and we're going to help you remediate it. So 0:23:36.310 --> 0:23:39.510 you're not just adding tickets to a queue, but helping, um, 0:23:39.510 --> 0:23:41.389 you know, really remediate for folks is something that we're 0:23:41.390 --> 0:23:42.630 going to be spending a lot of time on. 0:23:43.510 --> 0:23:48.280 Oh, nice. Remediation. So what will that flow look like? Like, 0:23:48.320 --> 0:23:51.639 how are you tying deeper into the remediation flow? 0:23:51.680 --> 0:23:54.120 Yeah. So that will include things like, um, you know, 0:23:54.119 --> 0:23:58.800 individual slack notifications or out-of-band notifications for, for end users 0:23:58.800 --> 0:24:02.520 at an organization or things. Um, you know, beyond just 0:24:02.520 --> 0:24:04.760 revoking access, but being able to start to pull in 0:24:04.800 --> 0:24:09.879 things like integrations with your IDP and starting to disable, um, 0:24:10.160 --> 0:24:12.600 access not only within the workspace but beyond it. So 0:24:12.600 --> 0:24:15.960 knowing that there has been some compromise of the identity. Um, 0:24:15.960 --> 0:24:17.960 and we're seeing a firsthand account of somebody trying to 0:24:17.960 --> 0:24:19.879 get across it, being able to validate that, you know, 0:24:19.880 --> 0:24:21.720 if your IDP doesn't know about it yet, we will 0:24:21.720 --> 0:24:23.399 help enable the remediation there. 0:24:24.640 --> 0:24:27.680 Okay. Yeah, I'm really excited about that. So it's basically 0:24:27.680 --> 0:24:31.040 getting additional context from other places in the organization to 0:24:31.080 --> 0:24:32.680 be able to do the stuff you're already doing. 0:24:32.720 --> 0:24:35.560 Yeah. Yeah, because context is everything when it comes to security, right. 0:24:35.600 --> 0:24:37.679 Of being able to know not only what's weird and 0:24:37.680 --> 0:24:39.639 what's not weird, but like when you should go do 0:24:39.640 --> 0:24:42.600 something and when pausing for a moment might be the 0:24:42.600 --> 0:24:45.320 right call. Um, you know, I've worked, you know, with 0:24:45.320 --> 0:24:48.170 security teams where they've really been trying to be not 0:24:48.170 --> 0:24:51.369 only good colleagues, but champions for their security organization and 0:24:51.369 --> 0:24:55.130 getting that buy in. And one misstep in a response 0:24:55.130 --> 0:24:57.970 action where you have, you know, either the wrong call 0:24:57.970 --> 0:25:00.170 or at the wrong time. Um, you know, that really 0:25:00.170 --> 0:25:02.210 sets the security team back. So we're trying to partner 0:25:02.210 --> 0:25:05.850 with them to make sure that they're rightsizing the remediation, 0:25:05.890 --> 0:25:08.690 you know, automatically with as much context as possible. 0:25:09.850 --> 0:25:13.810 Nice. Well, awesome. Where can we, uh, learn more about 0:25:13.850 --> 0:25:15.090 the the products? 0:25:15.130 --> 0:25:17.930 Yeah. You can find us at Materials Security. Um, you'll 0:25:17.930 --> 0:25:20.290 see everything that we have to offer there across the 0:25:20.330 --> 0:25:21.689 protection for the whole workspace. 0:25:23.090 --> 0:25:25.369 Sounds good. Hey, David, are you there? 0:25:29.410 --> 0:25:30.410 Yeah. Can you hear me? 0:25:30.890 --> 0:25:34.609 Yeah, yeah. Any modules? Um. Any other, um, pieces of 0:25:34.609 --> 0:25:36.530 functionality we should, uh, ask about? 0:25:37.170 --> 0:25:39.330 No, I don't think so. I think that pretty much 0:25:39.330 --> 0:25:42.010 touches on, like, the basic stuff. I mean, we do have, like. 0:25:42.010 --> 0:25:44.290 Like I mentioned, the cloud workspace, like, in general, that's 0:25:44.290 --> 0:25:49.030 our general vision, um, that we're kind of releasing in a, uh, 0:25:49.230 --> 0:25:52.990 I guess two days. Um, so I think he kind 0:25:53.030 --> 0:25:55.750 of touched upon it. It's not really necessarily a new release. 0:25:55.790 --> 0:25:58.670 Quote unquote. A lot of, like, our real releases have 0:25:58.670 --> 0:26:00.550 already happened. So this is just more of like an 0:26:00.550 --> 0:26:03.949 announcement kind of stuff that brings it all together, all 0:26:03.990 --> 0:26:07.310 these elements. So I don't think there's anything on our 0:26:07.310 --> 0:26:10.190 end from a feature perspective that has not been called out, 0:26:10.190 --> 0:26:11.189 that should be called out. 0:26:11.910 --> 0:26:17.630 Okay. Sounds good. All right, Patrick, I enjoyed the conversation 0:26:17.630 --> 0:26:18.629 and thanks for the time. 0:26:18.670 --> 0:26:19.830 Yeah, thanks for having me. 0:26:20.390 --> 0:26:21.189 All right. Take care. 0:26:21.230 --> 0:26:21.590 Bye. 0:26:23.190 --> 0:26:27.150 Unsupervised learning is produced on Hindenburg Pro using an Sm7 0:26:27.190 --> 0:26:30.830 B microphone. A video version of the podcast is available 0:26:30.830 --> 0:26:34.429 on the Unsupervised Learning YouTube channel, and the text version 0:26:34.430 --> 0:26:38.390 with full links and notes is available at Daniel Comm 0:26:38.550 --> 0:26:41.189 Slash newsletter. We'll see you next time.