Abnormal Activity: New Integrations, Deeper Insights, and Enhanced Detection

Welcome to the newest edition of Abnormal Activity! This quarterly blog and webinar series offers valuable insights into our product's ongoing development and enhancements. In May, we made several significant announcements, including the launch of the AI Security Mailbox, Cloud Account Takeover Protection, and ThreatIntelBase. Our commitment to developing the next generation of AI-powered security products remains unwavering, and this quarter was no exception.

Today, I’m excited to highlight our most recent enhancements, including new integrations, deeper insights into Abnormal, and a suite of detection improvements.

We encourage customers to join us for our quarterly customer Abnormal Activity webinar on September 4 at 1:00 pm ET, or September 5 at 10:00 am Australian Eastern Standard Time (AEST), where we will dive into these enhancements while also reviewing our product roadmap and answer your burning questions live.

Forcepoint Integration for Data Loss Protection (DLP)

Security teams are tasked with safeguarding sensitive information ranging from trade secrets to personally identifiable information. Failing to protect this mission-critical information can have serious consequences, including damage to reputation, penalties, or fines. To protect this information, customers can deploy a Data Loss Protection (DLP) product that:

• Meets compliance requirements

• Addresses concerns about accidental data loss

• Reduces the danger of insider threats

Forcepoint provides an industry-leading DLP solution that features a built-in library of over 1,700 policy templates and offers streamlined management of policies and incidents. With Forcepoint’s machine-learning content recognition, it can detect 900+ file types across both structured and unstructured data. Abnormal and Forcepoint customers can now integrate the two products. When deployed together, customers can confidently secure their organizational assets with the powerful combination of Abnormal’s AI-based inbound detection and Forcepoint’s DLP outbound protection.

Asana Integration

Earlier this year, we announced integration with 13 new SaaS and cloud applications to enhance cloud visibility and control via PeopleBase.

This quarter, we added another. The top project management platform Asana is probably your go-to-market team's best friend. It not only centralizes all of marketing and sales enablement's critical projects but also stores the sensitive data associated with them. Given that Asana allows third parties to access the platform for collaboration, it's crucial to know who has access and how they are accessing it.

Similar to other integrated applications, Abnormal ingests and analyzes Asana sign-in activity to detect significant events that deviate from a user's normal behavior. Additionally, you gain visibility into whether a user has admin access to Asana. This enhanced understanding of your Asana environment ensures that no attackers are lurking within marketing, allowing your team to enjoy their lattes in peace.

SIEM Events Authentication Results

When Abnormal processes emails, we perform a set of sender authentication checks based on the protocols SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). The results of these checks are displayed on the Email Details Page in the Abnormal portal. Customers can now access this information as a new field in the Email Threats event type, allowing for ingestion into their SIEM integration to extract relevant information to create incident response workflows. All this will be possible without having to manually access the Portal.

REST API Endpoint for Audit Log Data

Customers can already view Audit Logs in the Abnormal Portal and access data through our SIEM export events, but this information has historically not been available through our REST API.

We are excited to expand our API functionality to include Abnormal Audit Logs. With this new Audit Log REST API endpoint, customers can ingest Abnormal Portal audit logs through the REST API and extract relevant information to create incident response workflows and alerts of suspicious user activity. All this will be possible without having to access audit logs in the Portal manually.

Each organization has unique pain points and security goals. To ensure we exceed each customer's expectations, we now offer an in-portal view of success criteria, providing continuous insight into the value derived from the Abnormal platform. This feature grants customers access to the following:

1. Success Criteria: Portal admins can assess and prioritize the importance of various value statements for their organization and evaluate Abnormal’s current performance.

2. Feedback: Portal admins can share feedback with their Abnormal team based on the evaluation of success criteria.

3. In-Portal User Experience: Portal admins receive a personalized, in-product experience that highlights the unique value of their Abnormal investment.

Event Status Labels for Security Posture Management

Continuing the trend of new enhancements for Security Posture Management, status updates are now available for each posture change. While this may sound like a minor enhancement, this is an answer to a major customer need as Security Posture Management now allows security teams to coordinate a response to risky posture changes and ensure the entire team is appropriately notified of progress.

Security teams can now track investigatory and remediation processes by labeling each risky posture change as:

• “Needs review” for new or unread events

• “In progress” if the team is currently investigating the change

• “Acknowledged (resolved)” when a change has been corrected

• “Acknowledged (not important)” for a change that was deemed to not be a risk

Further, any changes noted as “Acknowledged (not important)” will serve to enrich Abnormal’s AI models, refining future detections.

Abnormal is committed to providing our customers with the highest level of detection efficacy. To achieve this, we are constantly tuning and improving our detection methodologies. This quarter I want to highlight three enhancements made to our detection engine:

1. Model Retraining Upgrade: We have deployed continuously trained text and ensemble models designed to adapt to evolving attack patterns within Abnormal's environment. This advancement is anticipated to enhance our ability to detect previously unseen sender attacks.
   
   

2. Payload Detection Improvements: In the last quarter, our efforts were concentrated on mitigating payload attacks detectable within the message body, particularly through analyzing URL text and auxiliary domain data. As part of this initiative, we are categorizing and developing features for weekly classification and metrics tracking. Additionally, we are implementing new detectors to effectively address false negatives.
   
   

3. Vendor Fraud Text Model: We aimed to enhance our Vendor Fraud Product by improving the detection of Business Account Update (BAU) attacks and vendor compromise incidents. Recently, there has been a noticeable increase in BAU attacks utilizing novel types of excuses. To address this, we developed and trained a new "BAU Excuse" model specifically designed to identify and mitigate these sophisticated threats.

In addition to the enhancements made above, Abnormal is constantly retraining its detection models to respond to new and emerging attack patterns we observe. The combination of our AI-based detection and the proactive nature of our enhancements secures best-in-class detection efficacy for Abnormal customers.

Abnormal is dedicated to continuously refining our current product offerings and detection capabilities while also developing innovative new products and features to enhance the security of our customers' environments. To get a sneak peek at our product roadmap, customers can join the Abnormal Activity webinar on September 4 at 1:00 pm ET, or September 5 at 10:00 am Australian Eastern Standard Time (AEST).

If you aren’t yet a customer, learn more about what Abnormal can do for you today by requesting a demo below.