From Customer to Employee: A Testimonial from Our SOC

In an ideal world, the ultimate goal of any security team is to stop every threat by preventing threat actors from ever executing an attack on the organization. Unfortunately, with one attack occurring every 39 seconds, it is not so much a matter of if an organization will experience an attack but when one will happen.

But with the Abnormal platform, we move a bit closer to that ideal. Of course, I work here… I have to say that, right? One would think.

That said, the reason I work at Abnormal is actually because of the product. I first used it in a previous role and it was so effective and such an impressive solution that I felt compelled to join the team to see where the platform went next.

Prior to joining Abnormal as the Head of Security Operations, I was managing the information security operations team at a major financial services organization. We experienced our fair share of incoming threats, and, like most large organizations, we had a wall of tools set to stop them—from native email security capabilities to a secure email gateway.

We assumed we were safe. And then we installed Abnormal.

Within the first 60 days, a perfectly normal-looking email landed in a user’s inbox requesting a past-due invoice for a considerable amount be paid. This email was immediately quarantined, but the user thought that was a mistake and believed the email was genuine.

To determine legitimacy, I dug into the Abnormal Portal to see if this was indeed a false positive. It turns out, the suspicious markers in this email were so subtle that any user not doing an in-depth analysis of the message would have missed it. There was no payload; there was no malicious link. But the Abnormal platform caught it.

Abnormal not only saved the organization a significant sum of money in fraud losses but also better protected the impersonated vendor. This email actually came from one of their legitimate domains—indicating compromise somewhere within the organization.

You may read that story and think, “Well, couldn’t any email security solution detect that attack?”

First, if they could, my previous company wouldn’t have needed Abnormal to point out the threat. Second, Abnormal is doing something fundamentally different than other email security vendors that take a more linear approach by leading with “prevention.” As cybersecurity expert Dr. Eric Cole says, “Prevention is ideal, but detection is a must.”

Consider the Email Account Takeover Protection add-on. While our core platform is expertly built to prevent sophisticated inbound email threats, email is not the only entry point into an organization. When email credentials are compromised, it significantly raises the risk of a costly data breach. And email credentials, through corporate single sign-on, are often the keys to the entire cloud environment. Thus, our customers—and we, internally—need to know when a user’s email account may have been compromised.

Specifically, organizations need a solution that can determine when a malicious internal email has been sent—particularly since SEG solutions cannot reliably detect these lateral phishing attempts. The Email Account Takeover Protection add-on is a thoughtful addition to the core platform, using advanced AI to detect compromised accounts that could otherwise lead to additional attacks and more dangerous breaches.

Our newly-released Email Security Posture Management add-on was built on similar principles. This module addresses the visibility gaps security teams face when trying to understand the organization’s security posture. For example, it can be extremely helpful in identifying which apps have access to VIP mailboxes or which users have sufficient privileges to allow them to change conditional access policies on a mail tenant. An application suddenly gaining read/write access to an executive’s mailbox is, again, not a direct phishing threat to be prevented, but it could be a sign of compromise that must be detected and addressed.

Essentially, where Abnormal differentiates itself—and why it was such an appealing company to evaluate—is the considerations it makes to the “left of boom,” in preventing attacks but also to the “right of boom” by detecting compromise activity. I haven’t seen any other solution that can do this so effectively, and that’s why I’m so proud to be using it every single day here at Abnormal.

What differentiates Abnormal? What makes the platform so exciting for me as a security professional?

Many security vendors, understanding that customers want more than point solutions to reduce budget overhead and manual effort, create platforms akin to a Cheesecake Factory menu. What I mean by this is providers are building platforms that offer a ton of capabilities, and while a handful of these features may be truly excellent, the vast majority are just okay. That’s not Abnormal.

In contrast, the Abnormal platform delivers adjacent capabilities that solve the problems our customers face in relation to our core goal of securing the cloud email platform. It’s less a Cheesecake Factory menu and more a tasting menu at a molecular gastronomy restaurant, where each ingredient and each plate come together to tell a broader story.

This is not only evident in what Abnormal builds internally, but also in the partnerships and integrations we develop. Most platforms can export events and alerts to the SIEM or various XDR tools, but at Abnormal, the data we ingest is what makes the data we export so valuable.

We recently announced a bi-directional integration with CrowdStrike, allowing us to enhance investigation and threat detection by ingesting risk data from CrowdStrike Falcon Identity Protection. In the other direction, Abnormal shares evidence of compromised email accounts back into Falcon. This mutually beneficial sharing of data increases the value of both platforms in a way that feels organic and useful—making it a true partnership rather than just a marketing campaign. And while I wish I could spill the beans on what comes next, just know that I’m excited… and you should be too.

The Abnormal platform is built to secure the present and the future of cloud email. If a vendor’s platform cannot articulate its purpose in that plain of a sentence, you may be in for a lot of functionality without a lot of function.

There is a Goldilocks zone when it comes to effective security platforms. Can the average solution solve the core problem—in this case email security? Sure. But can it solve the edge cases like lateral phishing or account takeover? Can it block those text-only BEC attacks that come from legitimate domains? Can it truly understand when a vendor banking account has been changed, and why that may indicate an attack?

If it doesn’t account for those additional, related pains, it’s too narrow. If it veers into territory that does not seem to fit the core goal, it’s too broad and too unfocused. In the case of the Abnormal platform, it’s just right.

See for yourself how Abnormal can offer comprehensive protection of your cloud environment. Schedule your demo today.