B (14:56)

The way I like to describe it is that if you think about a company's office suite or productivity suite, whether it's Google Workspace or Office365, they're kind of not a company until they have a Google Workspace or Office 365. Right. It's like one of the first things you set up when you get started literally as a company because you're giving email to employees and like where they do their work. But from like a security context, it just is such a mission critical surface because it's where kind of a lot of the institutional knowledge of the company exists. It serves as identity. It's obviously where a lot of sensitive content resides and kind of the first app you get and the last one that gets taken away when you leave. So it's a critical piece of infrastructure.

A (15:38)

Well, being so mission critical, where does it stand in terms of the security that it provides out of the box?

B (15:46)

So the infrastructure is actually fairly secure out of the box. There's a lot of things that they do well. I think the challenge becomes when as an organization and as a security team, you're looking for additional controls or customization or granularity. Those are the types of areas in which as an organization scales, they might start hitting roadblocks with some of the out of box tooling. So it's less about security coming out of at the infrastructure level, and it's more about tooling that a security operations team might need or a detection and response team might need when they're doing investigations or when they're thinking about specific threats that are relevant to their organization.

A (16:29)

You know, we often hear folks say that identity is the new perimeter. How does that play out with Google Workspace?

B (16:37)

Yeah, I mean, I think that statement is very true and has been for a long time. And the way it plays out in Google Workspaces, often Google Workspace is acting as identity. So, you know, if you think about your Google account, it's how you log into things, it's how you prove you are who you are. In many cases, even if you're using a third party IDP like an Okta, you're still often connecting that as a source of truth to your Google directory. So it absolutely serves as identity. If you think about oauth applications and signing into them with like a Google account. And the way we like to talk about it is that if you're thinking about an account in Google Workspace, it actually is consolidating a lot of different pieces of context. Right? Who that person is in the Org, what files they have access to, what their function is, what messages they send out. And at the end of the day, that's kind of what identity means.

A (17:36)

Well, help me understand here. Once an attacker gets Inside, what does it look like? What does lateral movement look like within workspace?

B (17:46)

Yeah, there are so many different opportunities to move laterally. So backing up for a second. There may be many different ways that an attacker gets in in the first place. From an initial access perspective, for example, by far one of the most common is some type of credential theft, whether it's phishing or looking for stolen credentials. But the point is that once they are in, there's actually just not really any additional controls to stop them from moving laterally. So for example, if I compromise an email account, nothing stops me from using that same session to go, now look at Google Drive and understand what files are in there, or pivot over to other applications that might be using that Google account for identity. There are lots of different paths that one can take. The other thing is, attackers often are very interested in establishing some persistence. It's not just about the initial access or lateral movement. It's about making sure that they can continue having their presence. So for example, the kinds of things that we see very often are an account gets compromised, the attacker will start setting up things like mail rules for forwarding all email that's coming into that account. They might go try to change the MFA settings, they might assign delegate accounts. So these are all different methods for establishing some sort of long, long term persistence.

A (19:06)

Well, let's talk about data sprawl. You know, I think about my own experience with Google Drive and I think there's an impulse to be a bit of a pack rat.

B (19:18)

Yeah, absolutely, yeah. It's not just in Google Drive. I think with email it's the same thing, but basically the cost of storage has gotten so low that all of us many, many, many years ago at this point stopped deleting things for the most part. Right. Certainly in our consumer lives, probably at work as well, where you may as well hold onto something, there's a chance you might need it and there's not really any incentive to delete it. Unfortunately, what that means is, yeah, one, you are collecting a sort of ever growing treasure trove of data which you may not even need, but poses a lot of risk. But secondly, for something like Google Drive in particular, often that data is shared, right. So it's shared internally inside the organization, but it might be shared externally. It might have very wide sharing permissions, like any being publicly accessible. And when you put these two things together, the vast amount of data sprawl that you kind of don't really have a handle on anymore. And then also the fact that a lot of it might be shared in a way that at the time was fine, but with time you've kind of forgotten about it leads to this kind of pretty large exposure surface, right, that can be exploited and often it's just very hard to get a handle on.

A (20:34)

Well, in terms of the built in tools that the Google suite comes with, in what ways do they fall short?

B (20:42)

Right. As I was saying earlier, there are built in tools that kind of will do some of the basics, but the minute that you really need to configure them to be more granular or take more specific actions that are appropriate for the context of your organization, that's where that flexibility is often not there. So to take an example for Google Drive, you know, Google has a built in DLP offering that will actually help you identify certain types of sensitive data in Drive files and then take some sort of remediation action on files that have that data. Both the detection and the remediation is very, very blunt. Right. Security is never as simple as black and white. So by the time you need a lot of these controls, what we see is that customers end up not being able to use the built in tools and instead are kind of trying to hack things together either through third party tools or by trying to use the APIs themselves. The general point is just a lack of flexibility and a lack of granularity. And I think there's also a sense that a lot of things are sort of incomplete. You know, the out of the box tools, they get to kind of an 80%, but when you try to use them in real world scenarios, there's kind of obvious gaps that you run into.

A (21:58)

Well, I know an analogy that you like to use is to look back at sort of the history of security when it comes to email and some of the lessons we can take from that. Can you unpack that for us?

B (22:11)

Yeah. I think the way we think about email security at Material is very related to how the company actually got started. And that was that we got started after some very high profile email accounts were compromised in the 2016 US election cycle. And that led us to think about a very basic question, which is that why is it that all of email security is so focused on the perimeter, which is essentially blocking malicious emails from getting in. That's really, really important. But it's not really the only way that someone can get into an email account. And when someone gets into an email account, there's actually a lot of things that they can do that sort of are unrelated to how they got in. So whether I did a phishing email, whether I stole credentials some other way, maybe I did an OAuth grant. The point is, if I'm inside a mailbox, there's actually a lot of additional damage I can do. And the email security industry didn't really focus on that problem. As we thought about this problem, what we realized is that there's actually a perfect analogy to how the antivirus market evolved into edr. Right. So back in the day, the AV market was really about signature based malware detection on the endpoint. And it was very black and white. It was like either you try to catch the malware or you don't. And if you kind of missed, if you actually there was some malware that wasn't in your kind of signature directory, there wasn't really anything else that that product was trying to do after that fact. Right. It was very much like a hit or miss. What we sort of learned by that is that nothing's ever going to be 100%. It's not really going to be the case that you're going to detect every single malware ever. And so you need to have a plan for other types of detection and response capabilities that you can do on the endpoint. That's what led to edr. I think there's a very similar evolution happening with email. You know, the sort of marginal benefit of catching one more phishing email is going down. Just simply thinking about catch rate as the only metric is sort of not that useful anymore because no product is claiming that they will catch all malicious emails ever. So we kind of need to take an EDR mentality, which is how can we broaden to thinking about not just the perimeter, but some of the sort of adjacent use cases? Right. So how can we add controls that work even in the event of an account compromise? How can we add controls that actually help us harden processes within our companies that might rely on email in an unsecure way? And when you kind of put these things together, it's sort of leading to a view on email security that goes way beyond simply blocking the initial delivery of malicious emails and actually prioritizing things like visibility, context, joining with other signals throughout the workspace, helping you remediate things not just by blocking emails, but taking more granular controls within the mailbox. And so, yeah, I think there's a very necessary evolution that has to take place.

A (25:20)

Yeah, we mentioned Google Drive and I think a lot of people will call Google Drive a gold mine for attackers. Can we dig into some of the specific risks here that people face there's.

B (25:35)

Kind of maybe two large categories of risk. So the one is more from kind of an insider perspective. You might end up in a scenario where employees have access to a lot of information. And as you scale, you have to think about, okay, what does that mean from an insider perspective? Right. The first kind of class of risks is really about your own employees and what information they have access to and whether they can either maliciously or accidentally access information that they're not supposed to. The second class of risk is really about attackers and adversaries. So if someone does compromise a mailbox or does compromise a Google identity, obviously one of the first stores of content that they're going to go after is Google Drive, just because of the nature of data that ends up there. You know, legal documents, financial reports, pii, pci, regulated data of all sorts. And that is information that can be monetized. It's information that can be ransomware. In that scenario, there's also kind of a risk not just from an account compromise, but from an account compromise that is external. Right. So those are kind of like the two big buckets I would put the risk in.

A (26:47)

Yeah. Well, I mean, given everything that we've talked about here, what are your recommendations? I mean, how do you and your colleagues there at material come at these specific issues?

B (26:59)

One of the best things about Google Workspace is that they have very, very powerful APIs. And so even though there are some shortcomings in the security products that are out of the box, the APIs make it so that a lot of this information is available. Now, the difficulty is that to consume these APIs on your own can be challenging. You have to stand up services. There's an infrastructure, there's many different APIs that can be hard to understand. The kind of approach that the top security teams that we work with use is that they're using these APIs to consolidate a lot of the data in one place and then building their own kind of detections and response capabilities on top of that data and leveraging the APIs for that. Now, the problem is that the average company simply doesn't have the bandwidth to take on a project like that. They don't have the headcount necessary to do that.

A (27:53)

If I'm a CISO and I decide that this is something that I want to take on, that my Google Workspace needs these extra levels of protection, what does that transition look like for me and my team?

B (28:07)

So I think the first piece of advice is narrowing the problem and really starting to prioritize what aspects of workspace, Are we going to kind of start getting our arms around first from there? Again, what these APIs do let you do is in a fairly low impact to users way, start experimenting with getting some visibility and getting some basic controls in place over the risks. The key is to sort of take it one step at a time and again start with kind of a prioritized view on what the highest levels of risks in your workspace are.

A (28:46)

What does it look like on the other side? Once I'm fully up and running with something like this as a security leader in my organization, the goal with something.

B (28:54)

Like Material is to free up resources for the security team so that they can go spend their time on more impactful things. And what that looks like is really two things. One, it's having confidence that you sort of have visibility into what's going on. The second and more important thing is that you've set up a lot of auto remediations. So when things do happen, instead of your team having to ingest some alert and now spend hours investigating it and then eventually taking some remediative action. Whether it's a phishing email that automatically gets blocked or a externally shared file where the permissions automatically get revoked after confirming with the user, these are the kind of automated workflows that you really want to enable. Because at that point what the sort of like dream is that you're living in a world where a lot of this security is kind of taking care of itself and when there are problems they're sort of self healing.

A (29:51)

That's Abhishek Agrawal, CEO and Co Founder of Material Security Foreign they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@talasgroup.com Cyber I'm Christian McCaffrey, pro running back and Abercrombie is an official fashion partner of the NFL. I'm not kidding when I say NFL by Abercrombie broke the NFL Internet last year and I think this season's lineup is even cooler. And so does my wife who keeps stealing all my hoodies. Stay fit for the season and Abercrombie's newest arrivals shop NFL by Abercrombie in the app, online and in store. And finally, Connor Bryan Fitzpatrick, better known to the underworld as Pompompurin, has finally discovered that running the Internet's largest English language data breach Bazaar doesn't come with frequent flier miles. It comes with prison time. The 22 year old breach forum's founder originally got off with 17 days served, a sentence so light an appeals court labeled it substantively unreasonable, which is judge speak for are you kidding me? Now he'll serve three years, far short of the 15 prosecutors wanted, but a notable upgrade from a long weekend behind bars. During BreachForum's year long reign, Fitzpatrick facilitated the sale of 14 billion stolen records and made nearly $700,000 proving crime pays, just not sustainably. He'll surrender his domains, devices and crypto stash while the FBI reminds cybercriminals if your business model depends on VPNs and stolen identities, the retirement plan is usually an extended stay at Club Fed. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Attention security startups. There's less than a week left to apply for the 2025 Data Tribe Challenge. This unique program accelerates early stage cyber companies. Refine your messaging with startup veterans, then pitch to top venture firms. Shaping the future of cyber the live pitch competition takes center stage at Cyber Innovation Day, November 4th in Washington, DC. Applying is easy. Go to challenge.datatribe.com Share your company info and upload your pitch. Submissions close September 19th. Submit your entries today. And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker.