Material Security is the synergistic brainchild of three entrepreneurial technologists: Chairman Ryan Noon, Vice President of Engineering Chris Park and CEO Abhishek Agrawal. The unfortunate milestone of government cyber attacks in 2016 prompted the trio to found the organization and develop no-nonsense, effective security products and services. They’re currently focused on collaborations with Google, Carahsoft and Second Front, which will result in FedRAMP High status.
Agrawal brings experience from Dropbox and a Microsoft research and development laboratory, not to mention a Harvard master’s degree and a bachelor’s from Princeton. He engaged in conversation with GovCon Wire that addressed the targets cyber criminals are most interested in today and how Material Security is working to protect its private and public sector customers’ assets.
How are you seeing the security landscape evolve, especially with regard to how attackers are adopting new techniques?
For the past decade, attackers have primarily been focused on leveraging the user to gain unauthorized access. Phishing was the tool of choice to either steal credentials or install malware. So there’s been an arms race between attackers and the security industry for who would prevail in these attacks. The good news is we’ve made a lot of progress securing authentication. With new methods like WebAuthN, we now have authentication mechanisms that are not phishable.
Naturally, attackers are pivoting to attacks that do not require user authentication as that vector becomes harder to leverage. We see them going for service providers directly and looking for weaknesses in their infrastructure defenses. This is the new watering hole attack. If you can breach a service provider, you get access to the data of many organizations, not just one.
Attackers are also leveraging application programming interfaces, or APIs, more frequently. API tokens, by their nature, are not protected by multi-factor authentication, so getting access to the token or API key is all that’s needed. APIs are also not as tightly managed as other areas of application security and there are frequently undocumented APIs that are not maintained or have vulnerabilities in the authentication method of the API.
Material Security is helping our customers leverage APIs, like the attackers already are, to defend against these attacks. We saw the opportunity to use the existing APIs of the cloud office systems to bring visibility to insecure settings and get a handle on the data stored at-rest in the cloud office, something that has been very difficult for security teams since the move to software-as-a-service.
What can agencies do to protect themselves in the event their cloud service provider is breached directly?
Attackers are seeing success attacking cloud service providers directly. This is a concern we need to factor in when thinking about risks. In the past year alone, we’ve seen two major breaches of Microsoft’s infrastructure that lead to unauthorized access of sensitive emails.
The move to cloud services has given us many benefits. For example, security teams no longer have to work to patch infrastructure. But that same benefit also creates a risk. We no longer have full control of the infrastructure holding our sensitive data.
This lack of control means we must start thinking in terms of post-breach protections that don’t rely on your service provider to be bulletproof (because they are not). In the same way we do not trust the network anymore, we must adapt to not trusting our service providers’ infrastructure. Since the shift to cloud services, and loss of control of the infrastructure, security teams have focused mostly on protecting data in-transit. Post-breach protections protect data at rest as well so it is still safe even if the service provider is not.
Protecting data after a breach is the mission that Material Security was founded on. We help our customers reduce the impact of a breach by protecting their email and file data at-rest in their cloud office suite and return control of the data to security teams.
What have you learned from recent attacks?
Attackers are telling us that email is what they are after. With the Solarwinds hack in 2020, it was the emails of the Treasury Department. Last year we saw the Chinese APT actor Storm-0558 use forged authentication tokens to gain access to emails of senior officials at the State Department. Also last year, we saw Microsoft’s own M365 instance get compromised by Russian ATP actor Midnight Blizzard. They too went straight for the emails of senior Microsoft executives. Email as a target makes sense, it is a content rich repository that is incredibly valuable and hard to manage. Once an email lands in a mailbox, it’s a closed box to most security tools.
These attacks have made two things clear: 1. the current state of email security is not adequate because it does not protect data-at-rest in the mailbox and 2. we need a new class of controls to protect data at rest if an attacker is able to use a vector besides user authentication to gain access.
The lesson to take away from these learnings is that traditional tools like email gateways won’t help stop an attack if email isn’t the attack vector but is the target. Email gateways can be thought of as pre-breach protections and one piece of protection against these attacks. We need tools that provide protections post-breach to properly defend against the attacks we’re seeing today. In the case of the attacks above, visibility into the mailbox, classification of data in the mailbox and the ability to protect data in the mailbox would have greatly reduced the impact of the breaches. Again, this is the mission that Material Security was founded on, a breach should not mean it’s game over. Defense in depth has been a cornerstone for effective security controls and we help bring that to email.