To sum up the TL;DR of our introduction to FUDdy, we all know that phishing attacks are growing in size and complexity, AI is enabling more advanced attacks that evade traditional defenses, and the cybersecurity talent shortage is unrelenting as we struggle to adequately staff our security teams.
This reality means security teams need to be able to monitor and respond to threats effectively and efficiently – they can’t afford to miss real threats, but they also can’t afford to waste time chasing false positives.
In this article, we’ll discuss some of the ways Material Security’s unique approach to email security and data protection can save your security team significant (and quantifiable) hours each week while increasing the effectiveness of your security program.
What is your alert budget?
Before we get into the “how” part, let’s take a moment to why Efficiency is key in security operations, so think about how many alerts your security and incident response teams can realistically triage, investigate, and respond to each day. Just as departmental budgets limit how much you can spend on people and tools, security teams are also limited by how much time they can devote each day to responding to threats. That’s your alert budget.
Of course, that number will vary from day to day depending on the severity and complexity of the incidents you encounter, the number of important strategic projects your team is working on, and many other factors, but there is a limit. Just as you can’t afford to waste your limited financial resources on redundant tools and software that don’t add value to your team, you can’t afford to waste your alerting budget investigating duplicate alerts, repeatedly fixing the same issues, or chasing false positives.
How efficiently your security team spends their alert budget is just as important, if not more so, than how they spend their money. Let’s take a closer look at how to improve that efficiency.
Balance between precision and sensitivity
No matter how many alerts your team receives, there are only so many hours in a day they can spend responding to them. Material’s approach to phishing is built on the philosophy of helping our customers make the most of their time. The alerts we generate need to catch as many threats as possible, while at the same time producing as few false positives as possible.
“Precision” and “recall” are terms familiar to data scientists but may not immediately ring a bell for security practitioners. In the context of email detection, precision is a measure of how many emails flagged as malicious are actually malicious, while recall is a measure of how many actual malicious emails received are flagged by the system.
A security system that produces few false positives has high precision, while a system that catches nearly all detected threats has high recall. At some level of granularity, there is a trade-off between the two. As you might expect, you can reduce the number of false positives by lowering the sensitivity of your detection, but lowering the sensitivity often means that true positives are also missed. Conversely, you can minimize the number of missed true positives by significantly increasing the sensitivity, but doing so will increase the number of false positives.
At Material, we’ve focused on building a detection engine that effectively balances these two and detects malicious messages that really require your attention. In today’s increasingly complex threat environment, no single layer of protection is enough, and no single detection methodology strikes the right balance. That’s why the Material detection engine consists of four main components:
- Material Detection: It combines machine learning techniques with rules built by our dedicated threat research team. AI and ML are great at connecting the dots and finding relationships that humans might miss, but despite recent advances in AI, there is still no substitute for the insight and power of human expertise. Material Detection combines the best of both worlds.
- Custom Detection: Because every organization and environment is different, we provide our customers with the ability to create custom detections based on what is being seen across their user base and in their environments.
- Email Provider Alert: Google and Microsoft periodically issue alerts about phishing emails detected after delivery, and we ingest those alerts, process them, and add them to our detections.
- User reports: From capturing user reports and consolidating similar messages in a single case to instantly applying automatic protection, Material automates abuse mailboxes while providing flexible remediation flows for security teams.
All these aspects combine to create a powerful and highly accurate detection platform that provides strong protection to our customers without wasting time on false positives and noise. We believe this is the right balance between precision and recall. However, while effectively balancing precision and sensitivity is important, it is not enough; a modern email security platform must also streamline the security operations itself.
Fool me twice, shame on you.
There has been a noticeable increase in email attack campaigns that are not only widespread but also highly personalized. There is some debate as to how much of this can be attributed to generative AI. While the prevailing view was that the explosion in generative AI would give attackers new tools, research such as Verizon’s 2024 DBIR shows that so far it has had little meaningful impact on attacks and breaches.
Whether these attacks are AI-generated or not, there is no denying that they are on the rise. Of course, we still have a common and transparent “Are you free?’ When we join a new company, we receive a message from the “CEO.” But we also receive emails from spoofed and homoglyphic domains that pose as trusted partners and vendors, or with fake invoices attached. We also see complex pretexting attacks with completely believable stories from senders that appear to have a connection to us. We receive emails from spoofed and homoglyphic domains that fool even the most conscientious users.
And while these attacks are often repeated across an organization, they are customized for each recipient. Not only do they evade native email security controls and get through SEGs, they appear as separate attacks. Subjects, senders, and even body content vary from email to email, making them difficult to easily group together. This means security teams are faced with dozens or even hundreds of repeats of the exact same attack, requiring multiple cycles to investigate and respond.
Material helps security and IR teams address this problem by automatically clustering suspicious messages. When Material detects a potential threat, it automatically creates a case within the platform. It then combs through your environment looking for messages that match that case, based on a variety of criteria. Of course, it looks for similarities across the usual fields, like sender, subject, and body. But it also looks for matches to attacks that can’t be grouped together in other ways, like URLs embedded in messages or attachments.
 |
| Material creates a case for every message it detects and clusters similar messages together to simplify investigation and remediation. |
When messages are consolidated into a single case, triage, investigation, and even remediation become significantly easier. By default, speed bumps are applied automatically. all Messages in a case will warn users that they may be malicious before your team investigates them. When you investigate one message in a case and apply a remediation, the same remediation will be applied to all messages in that case, including matching messages delivered after the investigation.
We’re already seeing powerful examples of how this helps customers in the real world. A Material customer recently told us they tracked a phishing email investigation over a three-month period. In the 90 days they worked with Material Security, their SOC saved over 300 hours of time investigating and responding to phishing emails – all of which remained in their alert budget to address other pressing issues.
Leverage the collective intelligence of your organization
Today’s employees are well aware of the threat of phishing. That doesn’t mean they won’t fall for it, of course, but it does mean they’re on the lookout for messages that seem suspicious, inappropriate, or simply unexpected.
And it’s important to get it right: No single line of defense can catch all incoming email threats, and even with incredible advances in AI and machine detection, there’s no substitute for a eagle-eyed employee noticing when an email looks suspicious.
The downsides are handling User reports can also put a huge strain on security teams if not handled properly: duplicate reports, harmless emails flagged for review, the need to respond to the user who flagged them… adding up the time it takes to act on all these reports every day for dozens or even hundreds of reports can eat up a significant amount of time.
 |
| Material automates the entire lifecycle of user report responses and applies instant herd immunity to all messages within a reported message case across your organization. |
Material reduces the day-to-day back-end work of user reports and automates abuse mailboxes to speed remediation and save security teams time. Material automatically adds a speed bump to messages reported across your user base, providing an immediate layer of protection while your security team investigates the issue.
Granular remediation options allow your team to speed bump, block links, or remove reported emails entirely if they are found to be malicious. And with case merging and similar message matching, investigating and responding to one email answers all similar messages across an entire case. Finally, Material automatically responds to reporters with an acknowledgement message, which can be modified or updated as needed as the investigation progresses.
Material simplifies and streamlines the process of capturing and responding to user reports, while adding immediate protection to provide airborne coverage for investigations.
Advanced protection you can trust, efficiency you can take to the bank
Security teams already have enough to do. With Material Security, you’ll dramatically reduce false positives, speed up triage and investigation of phishing cases, and spend less time managing user reports. Material frees up your alert budget so you can spend it on what really matters.
To see how much time it could save your security team, request a demo today.
