Lets talk about the Evolution of Email Security. We have been speaking about Email Security for years but why has it not been solved? We spoke to Abhishek Agrawal, Co-founder of Material Security about the fact that despite of decades of advancements, email security remains a critical concern, with sophisticated attacks continually bypassing traditional controls. We explored the fascinating landscape of productivity suites like Microsoft 365 and Google Workspace, underscoring their importance beyond just communication tools. What are the critical aspects of threat management, posture management, and the necessity of a focused approach towards securing this often-overlooked segment of our digital infrastructure management.
Questions asked:
00:00 Introduction
03:57 A bit about Abhishek
04:49 What is a Productivity Suite?
05:48 Why Email Security is still a focus in 2024?
11:43 Where to start with Productivity Suite Security
?15:03 The role of Cloud Native Tools in Productivity Suite Security
19:38 Where can security leaders start with Productivity Suite Security
24:39 Where can people learn more about Productivity Suite Security
26:44 Fun Questions
Abhishek Agrawal: [00:00:00] we also started it literally because we were like, wait, we thought this thing was solved.
Like, why are there email breaches? And the news and why are like election hacks happening? What the hell is going on? Cause it's like a 30, 40 year old technology. There've been multiple generations of email security products and you assume things are solved, but they aren't.
but there are just more and more types of sophisticated attacks that are still bypassing any type of controls that people have put in place and they're making it into mailboxes.
So even in 2024, it's still a fantastic way to deliver an attack.
Ashish Rajan: Did you know that Attack MITRE has this famous framework around how the threat actors on the internet are using TTPs on public cloud. For example, the two that are called out as point of entry has been leak credentials or related to credential access or misconfigured resources. Now the first one, which is probably credential access to most people, as you will understand these days, it's usually from email or probably someone sharing their username password somewhere.
Now employees sharing credentials is something that security awareness training and maybe just having some good culture around [00:01:00] it helps. I would assume most of the time, but something that is usually dropped onto culture and some individual tools would be email security. Now email security itself has come a long way for some of you, probably my age and maybe or even older, We've seen email security evolve from just being phishing to a lot more.
These days, most people either use Microsoft Office 65 or Google suite. Most people even pay a license fee for it. Every enterprise out there has this productivity suite. They're using to have email storage and just having a way to communicate. And these are some of the ways people are accessing leaked credentials or getting access to say someone's email or someone's malware.
I had the honor of talking to Abhishek from Material Security, the Co-founder of Material Security. And before you think this is an episode on phishing, let me remind you of something that I learned along the way as I was talking to Abhishek, was more around the fact that, hey, there are threat management aspects you have to look into in email.
There is vulnerability management. Threat detection, there is posture management. Yes, there's a whole category [00:02:00] SSPM that was created by Gartner for this as well, which is Software Security Posture Management. There's also category created for data security these days, especially if you are looking at GenAI projects.
There are all these things which we have always drawn a parallel in the cloud security world. A lot of you and me and others who probably are listening to this or watching this have gone through the journey in the cloud space, but somehow along the way, number one thing that we talk about in cloud, which is identity, we probably do not probably pay a) much attention to identity coming from email these days, especially if you're using a older version on non API enabled versions of mail service. This is a conversation that I think you should definitely listen into to understand what some of the real time threats that are already happening in the world of email, how email security has changed to now becoming almost the same.
At least I would say it should have be on par with the same kind of attention we provide to cloud. And this is a great conversation for someone who probably has not spoken to the corporate security team for some time. This could be some interesting information for them to [00:03:00] work off. And maybe you could probably transfer some of the things you've learned on your cloud security side, over to your colleagues on the corporate security side, because these days emails are a lot more complicated than just basically stopping people from phishing email.
Now, obviously, a lot of people have gone down the phishing email MFA and a lot more can be done, but I hope you enjoy this conversation with Abhishek. And it gives us an opportunity for you to revisit the Attack MITRE if you haven't especially around the identity threat matrix that you may have created in your organization.
As always, if you're here for the second or third time, if you enjoy listening to what we're doing and watching what we're doing as well, definitely give us a subscribe and follow on your favorite platforms. For iTunes, Spotify, Review and Ratings are always welcome. On YouTube, Linkedin definitely follow, subscribe for the next episode when it comes out, but I hope you enjoyed this episode and I'll see you in the next one.
Peace. Hello, welcome to another episode of Cloud Security Podcast. Today I've got Abhishek with me. We're going to talk about productivity suites because they're not spoken about enough, but before I get into all of that Abhishek, welcome to the show. How are you man? Thanks for having me. Yeah, no, this is fun.
Awesome. And maybe just to set the scene, could you [00:04:00] share a bit about yourself and where it got you into the whole productivity suite?
Abhishek Agrawal: Yeah, sure thing. So my name is Abhishek. I'm the co founder, CEO of Material Security. Before this company, I was an early PM at Dropbox and the company was around 250, 300 people.
And one of my first jobs there, I ended up working on a lot of different things there, but one of the first things I worked on was the data infrastructure group. Every Dropbox client across the world was pinging logs up to this big Hadoop cluster that we used to maintain. And then we built all sorts of tooling on top of that for, the growth monetization teams, but also the security team.
So at Dropbox, the security team was like a big customer of ours internally. That was my real first foray into the security world. And then, yeah, out of that experience and some of the stuff that happened in 2016 with the elections, we found ourselves building a company in the email security and these days productivity suite security space.
Ashish Rajan: And maybe, cause it's funny because I, even though I thought I knew what productivity suite was and I spoke to you and I go, I don't think I know what productivity suite is. Maybe, I feel like my audience may also have some [00:05:00] people in there who probably like me, who probably didn't understand what productivity suite is and like why we're talking about it in cloud.
So we'll get to the point of why we're talking about it in the cloud security context, but how do you define productivity suite?
Abhishek Agrawal: Yeah, no, it's a great question. I don't think there is one perfect definition. What we mean by it is basically your cloud office suite. You can call it productivity suite, cloud office, but Google workspace or Microsoft 365, basically where you do your files, email, chat is typically referred to as the cloud office suite or productivity suite. And email is a really big part of it and actually where we started, but obviously that whole kind of suite of tools is pretty critical at every company.
And it's interesting because like other pieces of security infrastructure, it's one of those things where every company in the world has basically consolidated around one of two apps, like either use Google workspace or use Microsoft 365. So that's what we're normally referring to when we say productivity suite.
Ashish Rajan: Yeah. And if you're a decent sized company, you probably are paying a license fee as well for that. Yeah, for sure. For sure. By the way, those are not my words. Those are your words. So now that we define productivity suite and [00:06:00] obviously license for the part was your saying, I was going to say in terms of email security, like the first time I, you know, even when I spoke to you about it as well, I was like, man, isn't email security already solved?
Like I think I'm sure. It is not the most complex thing in the world as someone who's probably quite far away from it. These days, I feel like, why is that still a focus?
Abhishek Agrawal: Yeah. So there are a couple of things about email security that, first of all, when we started the company, we also started it literally because we were like, wait, we thought this thing was solved.
Like, why are there email breaches? And the news and why are like election hacks happening? What the hell is going on? Cause it's like a 30, 40 year old technology. There've been multiple generations of email security products and you assume things are solved, but they aren't. And I think that there's kind of two main things where we discovered we're still unsolved and probably still are today. One is that what people traditionally mean by email security is simply stopping attacks from coming into a mailbox, right? Like emails, this like incredible open protocol for delivering whatever I want to anyone I want. [00:07:00] And obviously like in the security context, that's a bad thing.
The first thing that's not really solved is that, you went from like Spam to malware to phishing , but there are just more and more types of sophisticated attacks that are still bypassing any type of controls that people have put in place and they're making it into mailboxes.
So even in 2024, it's still a fantastic way to deliver an attack. But the thing that actually started our company and really made us feel like email security is not solved is forget just using it as a way to deliver an attack. It's actually a target. Because when everything moved to the cloud, all of us started storing all of this email that we have forever.
Think of your own personal Gmail account. It's 15, 20 years of email and in the corporate setting, same thing. So now all of a sudden it's not just this messaging protocol. It's this big content repository. And just like any other content repository, it's a target. I can, if I hack someone's email, I can go get a dump of all of this communication over years and years with all sorts of sensitive content.
And what we saw in the kind of like 2016 election cycle [00:08:00] was, these were literally the targets, the mailboxes. And then if you can put, exfiltrate all this data and all sorts of bad things happened downstream of that. And the reason we felt that wasn't really solved is if you think about most email security tools, they're approaching the problem from thinking of email as the delivery vector, not the target.
So what does your average phishing detection tool or spam detection tool do for the fact that you have all this content sitting inside a mailbox at rest? That's very sensitive. Absolutely nothing. It's not even focused on that problem. So our kind of thought process was cool, there's like traditional email security.
That's still unsolved because all these sophisticated apps are bypassing the traditional defenses, but then there's also this like non traditional email security, which is more focused on the content inside mailboxes, more focused on the fact that email is also an identity layer for all sorts of applications, which can be abused.
So we basically started doing things that were about email security, but not the email security that you normally think of.
Ashish Rajan: Actually that's good explanation because I was going to say [00:09:00] to your point about the target being the email rather than, Hey, I am just interested in making Ashish click on a link so I can download my malware and install it.
Yeah, I think something else I think is probably worthwhile calling out and maybe that sets the context for. Why email and cloud these days probably are on par in a lot of ways. A lot of people are asked to be federated and unlike back sounds like really ages ago, but I think these days Active Directory is still a thing, but it's more Azure AD or Entra ID, whatever they call it.
I'm sure they'll change the name tomorrow again. Thanks Microsoft. But it's I feel like that's also another part, which to what you said. It's important to look at that as a target, because if I have someone's mailbox access, like an Office 365 or G Suite access, you could actually have access to Google cloud, AWS, Azure, whatever, because all enterprise users of these solutions, they all have federation because that's security policy.
Number one, most places, right?
Abhishek Agrawal: Yeah. Yeah. A hundred percent. And that's like the most extreme example, but even I mentioned I was at Dropbox before this company. A really great [00:10:00] way to hack Dropbox accounts back then was to hack an email account and request a password reset and just reset the password and move laterally to the Dropbox account and replace Dropbox with Twitter, replace Dropbox with LinkedIn, GitHub, like you could go to all of these apps because they're using email as an identity layer.
Even if you have something like SSO deployed, sometimes these apps use email as a backup. Slack is famous for sending magic links. you back into a Slack workspace through email, even if it's behind SSL. So again, traditional email security, not really concerned with that problem. Whereas a lot of things we were doing was focused on it.
And this stuff, like it used to sound hypothetical, but if you think of the Sony pictures breach, that was probably the most famous one where like all these executives emails was on WikiLeaks, it got folks fired HBO had something similar back in the day. And then more recently, like SolarWinds, Hafenium, their recent storm Midnight Blizzard, they're all attacking email.
Because it's it's the oldest trick in the book, right? Like it's our correspondence. It's where [00:11:00] all this information is being exchanged. It's a really great target for information.
Ashish Rajan: I think at least we are not in the Blackberry era anymore, but I think more, iPhone is not that iPhone makes it, because the reason why I call it the Blackberry and iPhone thing is because a lot of people also think that if I access it on my iPhone or my Android, I'm fine.
But I think this is way more than that is what we're talking about, right?
Abhishek Agrawal: Yeah even those systems have now switched to OAuth. Protocol, right? So they have access to your mail, cloud mail through OAuth, which is a whole other kind of can of worms, all these like applications that can access email.
And all of a sudden you're like literally letting some app that maybe you've never heard of get all access to your mail and all of it and for all time. And yeah, these were some of the problems we set out to solve that are in the kind of non traditional email security side.
Ashish Rajan: I think there are obviously a lot more these days to email security to as you called out now, going back to the whole productivity suite, obviously email was one component, but there are all these other components that people should be looking at it as well from a overall productivity suite now that you understand the importance of it from not just the fact that, hey, just an email.[00:12:00]
But yes, an email, which is a potential target, which has integration to your cloud environments. What are some of the other things that people should consider when they're looking at the overall security of a productivity suites?
Abhishek Agrawal: Let's just talk about M365 or Google Workspace for a second, right? It's the first app I get as an employee when I joined a company.
It's the last app that someone takes away when I leave. It's pretty much the only app that everybody in the enterprise has a license for. Like every single person get, it doesn't matter like what your role is. You get, an email account, you get an identity. So it's this like really critical piece of infrastructure.
It's not really just another piece of SaaS in your company. It's a, this really important application. And we like to say it's all your people, all your communication and all your content sits in this one thing. First of all, it deserves focus. So we don't try to protect like 50 different apps. We are very focused on these two apps in terms of to your question of what it means to really secure these what security teams are doing today to handle these surfaces for us, after lots and lots of conversations, a lot of experience with [00:13:00] serving customers over the last few years, I would say it really breaks down into three categories of types of things.
One is threat detection. It's basically threats against the productivity suite, which honestly are overwhelmingly email based. So that's where, your traditional email security, like phishing emails, basically someone trying to attack the productivity suite via email. So it's threat detection.
There's other types of threats obviously, but email tends to be very prominent there. The second category is config or posture management. So you think of the average, like M365 deployment. It is super complex. There's like thousands of users doing different things. So there's a lot of behavioral stuff, but then there's also some legacy settings.
There are things there where the defaults might not be appropriate and you have to change them. So there's a lot of monitoring of the posture, even something really simple. If someone in your company goes and sets up an auto forward of all of their corporate email to a personal email address, would you even know, like the answer is it's very hard to know that.
And some of these things you can't turn [00:14:00] off like across the board because there are legitimate business use cases for them sometimes. So just monitoring these kinds of things, if I'm sending a lot of email manually to a personal account, how do you monitor for that? So there's a posture hygiene, and this is where you see people writing their own detections or they're maybe using like posture management tools.
And then the third category, which I think is actually the hardest is data. So what sensitive data is in these productivity suites? How do I identify it, classify it properly, but then also how do I track where it's going and how do I put the right access controls on it? A lot of folks are like pretty unhappy with the native kind of default security tooling around some of these things.
So data wrangling or data kind of classification ends up being a third big category of things. But if you think of each of these things, like threat detection slash email security posture management, and then also like data stuff. These are like historically three different markets. You have like email security of SSPM, you have DLP and CASB.
And it's a little crazy because security teams are normally like [00:15:00] jumping between these tools and they don't really have any shared context.
Ashish Rajan: Because I think just to probably call out as well, because most enterprise usually have these productivity suites, I guess as a separate responsibility for corporate security in nine or 10 times, there's actually no communication between the corporate security as well as the enterprise applications security, whatever they're doing, because it's Oh that's your turf.
This is my turf. We don't walk into each other's turf. But technically, as you explain. More, I'm going, okay, wow. So I know there's a whole SSPM category that Gartner came up with, but yeah. Even in that space, they don't talk about all of these things because that focus primarily is more around, Hey, I'm going to help you manage the posture for all these SaaS services you have, but I love the fact that we're focusing our conversation on the productivity suite because. Now that I realize, wait, how many people actually want to have their own email servers in a virtual machine as well, like there's a vulnerability management component there as well. Cause you have some people like, Oh, I want to have my own certificate manager in AWS or Azure or whatever. There's a whole I imagine those people should probably [00:16:00] like, I think, pique their interest in this particular context as well. Threat detection vulnerability management, data. I think from a data perspective, I think most commonly I used to hear about Microsoft Defender for data. Do you find that, obviously, I'm sure you would have seen the product as well.
Do you find that Microsoft Defender being more native? Is that looking into some of these things as well, or is that I think where I'm coming from is that a lot of people might hear this and go, I've got Microsoft Defender. I'm like, that looks like everything, I've got the E5 license or whatever is all you can eat menu. So I can get anything I want. Is that belief put at the right place or is that just misplaced?
Abhishek Agrawal: I think it's honestly very similar to any security problem where the platform you're securing has some native security capabilities inside it that are pretty much honestly, get you some good baseline coverage, like they probably get you to 70, 80%, but there's a reason that, for endpoints, people still bring on like a CrowdStrike or a Sentinel one for their cloud workloads, they still bring on like an Orca or Wiz for their network.
They still bring on a Zscaler or a PaloAlto. Each of those things that I just [00:17:00] rattled off also has native security kind of controls from Microsoft. But they feel the need to supplement them, in the case of the productivity suite in particular, and E5 on the data side, it's actually less defender.
It's Microsoft purview is the name of the product. And then on the threat detection side, it's more Microsoft defender, again, both solid products in terms of getting some baseline coverage. But what we see with most customers is on the defender side, they're typically supplementing that with another API based product just because they're still seeing things that get through.
And then on the purview side, there's a lot of challenges with getting the data classification precision, right? And then also any type of user adoption, right? Any system where you're relying on users to help tag data, it's just bound to fail because most users don't care. And so we've seen a lot of customers struggle to just get the right adoption and deployment for something like a purview.
But some of the controls make a ton of sense, for like traditional DLP. Some of the things that, we do that don't really overlap. They're [00:18:00] pretty different. Are trying to cover a slightly different threat model. In the beginning of the call, we were talking about kind of the Sony pictures or the 2016 election, like John Podesta problem.
So like I get into a mailbox, I go exfiltrate all the data, something like a purview is not really designed to help with that problem. We go not just scan new messages from the moment we're deployed. We actually go scan historically all of the mail that's sitting inside your archive.
So if you're one of those like email hoarders, which all of us are, you've got like years and years of email. You may have a retention policy at work, but even then it's probably multiple years. So you've all this mail, we go scan that, we classify that, we see what sensitive data is hanging out just in mailboxes.
And then what we can do is we use the APIs to actually redact it. And what that means is that if I get into this mailbox, if I actually like download all of the contents, I don't actually get that redacted message. It's not there. But if I'm the true account holder, if I actually needed that, I hoard the email for a reason.
What I do is I just pass a side channel challenge like a Okta [00:19:00] request or a dual request or, and then we can actually unredact the message right back in place. And this is all possible through the magic of API. It's that's the other thing that really changed here, like productivity suites.
It's used to be on premise, like really not that long ago. Yeah. It's only in the last five to 10 years that they've really been adopted inside the enterprise in cloud. And so now that you have like Word and Excel and like Outlook running as services in the cloud that come with APIs.
All of a sudden you can do a lot more interesting things from a security perspective than you ever could before. It also means now there's lots of new attack paths that have been opened up that weren't there before, but, such is life.
Ashish Rajan: Yeah, unfortunately, that just means a lot of us continue to get employed as well.
But I think I was going to say in terms of love the analogy on how email itself has changed quite a bit. Because I remember so many projects where we're ditching the on premise exchange server and going to Office 365. I think it may come across as like a, an elephant to eat for lack of a better [00:20:00] word.
Where do people even start? Cause I imagine a lot of people who are listening to this conversation, like any CISO VPs are listening to this conversation going, Oh, I probably should talk to my corporate security counterparts if they're not on the call already, or they're thinking, okay, man, sounds like a big problem to chew on one go.
Advice on where should they be starting? Cause I imagine to what you said, I'm sure there's like an email thing they're looking at, we have a phishing tool or whatever, but then they haven't considered threat management, posture management, vulnerability management, DLP going, okay, I need more budget, but where are we starting?
Abhishek Agrawal: It's a really good question. And honestly, I have a lot of empathy for security leaders that are happy to make that kind of choice because it's it's a Yeah it's overwhelming. There's a lot. And these surfaces, it's funny. Like I was saying, Oh, we want to focus on just these surfaces.
Unlike SSPM. That's like trying to cover these long tail of apps, but even just this one surface is so giant, like M365 is like a massive surface In terms of where to start, we see a couple of patterns. One is that email security is this kind of evergreen thing. Like most companies in the [00:21:00] world decide that they want to supplement their existing controls with some sort of email security.
And historically that used to be what I call secure email gateways. So think like a proof point or a mimecast, or even before that an iron fork. And these products work by being in your network and they literally intercept all inbound and outbound email and try to do filtering. That is an architecture that is still prevalent, but it's starting to be questioned because the rise of API based products, which have just a smaller integration lift, they can do a lot of additional things that you can't do when you're just filtering email. And so one way that we see people kind of start is that they are revisiting whether their secure email gateway is the architecture they want, either because they're thinking about replacing it or because they're thinking about supplementing it with an API.
So that's one path, which is you can think about your email security and see if you're satisfied with it. And what that means is traditional email security, right? Phishing defense are you spending a lot of time on it? Are you spending a lot of money on it?
Are you [00:22:00] unhappy with the architecture? And if you are, then it might be interesting to consider an API based vendor. If you do go down the API based vendor route, then you start thinking about, okay, what kind of different approaches are available? So that's one angle which is from the email security side.
The other big kind of angle that we typically see customers start with is they're just doing like a broad DLP type initiative where they're trying to get a handle on what sensitive content even exists inside their email, but also inside their files, inside their chat systems. And as part of that, what I think the most successful companies do is they come up with kind of a few data types that they really consider the crown jewels for their company.
For example, at a insurance company, it might be like the PII of their customers at a healthcare company, it might be patient records at a chip manufacturer. It might be like the IP of their chip designs, but whatever it is, they come up with a few data types that are very important to them.
And then they try to think about [00:23:00] how to identify and classify those two, the types across the productivity suite. And once they get that visibility, then they think about, okay, how do I put the right access controls in the right places? .
But those would be the two angles that I would consider, someone listening to the podcast to start with either thinking about your email security and whether it's modern and whether there's something you're missing in terms of capabilities. And then also thinking about your like data classification or identification program and whether that's something that you have a good handle on.
Ashish Rajan: As we were talking about this, I think one thing that came to mind, and I don't know if people have considered this, but Attack MITRE that has done like a TTP on how people get access to cloud. One of the ones they called out was credential access and email security, I would say in today's day and age, unless you are using the same username, password as your Windows domain at another website, 99 percent of the rest of the scenario are email related. I would have thought, I don't know if you agree.
Abhishek Agrawal: Yeah, for sure. I think things have gotten a lot better thanks to [00:24:00] the prevalence of MFA, especially as people are discovering like push resistant MFA. Phishing is obviously still very prevalent top way of kind of credential theft.
But also what we see a lot is the sort of attacks that don't really have the goal of stealing credentials. They're more just focused on social engineering and this is like the traditional kind of BEC, right? Where they're trying to convince someone to pay an invoice or they're trying to convince someone to change payroll.
And so email tends to be a great way to harvest credentials for sure. And that's historically what it was used for. But I think these days we also see a lot of just the intent is not really to harvest anything. It's just to try to create some business process and get the victim to follow it.
Ashish Rajan: This reminds me of a conversation that I had with one of the fellow CISOs. We were talking about how people with privileged access in any environment should have a special security awareness training as well. Not just a general one. Hey, this is what you look out for in a phishing email.
It should be a bit more around, especially if you have cloud access, you probably need a bit more than just a phishing email with a specific link, but now, dude, this has been awesome. Where do you [00:25:00] think people can, learn more about this thing? I feel like apart from you, and I think you're probably the first person we would start talking about productivity suite and why it's important and why it doesn't get as much attention as cloud, even though it has every tentacle inside the cloud as well.
Where can people learn more about this kind of stuff if they want to go down that path of actually looking into this
Abhishek Agrawal: I think like awareness around this stuff is definitely rising, unfortunately a lot of their like recent hacks, with Microsoft have re focused people's attention on this. I don't think any of these are new problems. They've honestly all existed for a long time and it's more just that they've always been solved in different tools or in different ways. For example, like the problem you're talking about with privileged access, like if there is an email account that is also the Username and password for your corporate Twitter.
All of a sudden that is like a very important email account, because if I get that email account, somehow I can just reset a Twitter password and Twitter isn't behind SSO or anything like that. And it's something like Material we try [00:26:00] to, intercept password, reset emails. We put a MFA challenge before you're allowed to access them just so we can make sure that we have the right authentication. I think in terms of where to learn about it, there's obviously we talk about it a lot on our website and blogs, actually I will hear all credit like Microsoft they have a pretty great like content program on all the security research they do around. M365 and hacks on M365. I think the, unfortunately, like a lot of the controls haven't really followed in the product and they're often spread out around many different kinds of like licensed tiers that are hard to parse, but if you're just looking to understand like the attack surface, MITRE, which you mentioned actually has a framework for Google workspace and M three 65, that's pretty good. And then Microsoft's like security blogs are actually pretty decent here as well.
Ashish Rajan: Awesome. No, thanks for sharing those things. That's most of the technical questions. I had a three more fun questions for you as well.
First one being, what do you spend most time on when you're not trying to solve productivity suite problems?
Abhishek Agrawal: I am a full suburban dad. I have two toddlers four and two. So like I, outside of [00:27:00] work, some class drop offs, school pickups, drop offs different like classes, just doing the like full toddler dad thing outside of work.
We live in the Bay Area try to get them outdoors. But yeah, it's like work and kids are basically my life.
Ashish Rajan: Yeah. So Uber dad, basically. Same question. What is something that you're proud of, but that is not on your social media?
Abhishek Agrawal: Pretty much nothing is on social media. So I'm not really on there. I paint a lot. I haven't done it in a while since starting this company, but I, it's like a hobby of mine and just like weird oil paint or yeah, I do some oil painting and Yeah, I'm weirdly proud of it because it's not something I like ever was like formally trained in or anything, but it's something I've pursued like throughout my life.
So that's,
Ashish Rajan: I need to see some of those paintings at RSA or something.
Abhishek Agrawal: I'm sure they're really small. I never have time to make like large ones. So they're all like eight by 10, but that's convenient.
Ashish Rajan: You can put them in the bag,
Abhishek Agrawal: mail it to you in an envelope.
Ashish Rajan: Final question. What is your favorite cuisine?
Abhishek Agrawal: All right. Favorite [00:28:00] cuisine. I'm a big fan of Mediterranean cuisine. So like basically I would happily eat like hummus every day of my life.
Ashish Rajan: Hummus or what's the fried cheese dish? I don't know if you like that. Oh my God. Oh, like a Saganaki and stuff. Oh yeah. Saganaki. Yeah. Do you like those?
Abhishek Agrawal: I do even calling hummus like Mediterranean is I know a little risky because there's all sorts of factions
Ashish Rajan: but technically I think they are Mediterranean but I mean for the sake of this context I just assume they are I'm not gonna get into that debate yeah fair where can people reach out to you man thanks for answering those questions where can people reach out to you on the internet of the world to talk more about
Abhishek Agrawal: our website is material. security we tend to actually you know take this really novel approach where we actually describe what the product does on the website. So it's pretty easy to understand and read. There's no jargon, but then also you can find me on LinkedIn. My personal email is just Abhishek at material. security. So happy to connect.
Ashish Rajan: I would put those things for the shorts as well, dude. Thanks so much for coming on the show. And thank you for sharing. Shedding light on probably the number one reason why the TTP is a [00:29:00] leaked credential these days. But I'll I appreciate your time and I'll put this in the show notes as well, but like looking forward to having more conversation with you, man.
Thank you so much for having me on the show. Thank you. Thanks for having me. This was fun.
Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues.
If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well. So you can reach out to us easily. [00:30:00] Otherwise, I will see you in the next episode. Peace.