Summer 2023 Product and Detection Recap: Expansive Integrations Provide Greater Protection for Cloud Email
This summer, Abnormal delivered significant enhancements with real impact—ensuring our customers can truly protect against the full spectrum of email and collaboration attacks while spending less on email security.
Truly, this latest batch of releases is in the service of not only protecting cloud communications today but ultimately helping to secure the future as attackers continue to become more sophisticated.
Before this introduction becomes too overwrought, let’s discuss what’s new at Abnormal to highlight exactly how we are achieving our lofty goals.
Greater Protection Through Expansive Integration
Abnormal Protects Slack, Zoom, and Microsoft Teams to Secure Collaboration
Attackers are finding ways to infiltrate organizations’ own key communal spaces in this remote work world: collaboration apps such as Slack, Zoom, and Microsoft Teams.
In fact, according to recent research by ESG, 89% of surveyed organizations had seen at least one attack on collaboration apps in the month preceding the survey, and 52% had dealt with a multi-channel attack that spanned email and collaboration apps.
To address this, Abnormal extended its messaging protection, account takeover protection, and security posture management capabilities to protect the most common collaboration platforms.
Messages sent in Microsoft Teams, Slack, or Zoom chat are analyzed for malicious URLs. Abnormal administrators are then notified when a suspicious message has been detected. This includes both internal employees and external collaborators with access to these platforms.
Further, any suspicious sign-in activity—such as a user accessing Slack from a known-bad IP address—will be used to determine whether a user has been the victim of an account takeover. Abnormal will also surface changes to user privileges on Slack and Zoom to further bolster the investigation of suspicious accounts.
Abnormal’s Data Ingestion Platform and Deployment Overview Simplify Integration
Every security tool on the market today has dozens of integrations, which makes sense as interoperability with additional tools and ingestion of data from protected platforms ultimately make an organization more secure.
But it can be a difficult task to not only connect to these different data sources but understand which connections already exist.
The Abnormal Data Ingestion Platform gives customers a simple workflow to integrate and ingest data from applications such as Slack, Zoom, and Okta—walking customers through the steps to complete the connection and operationalize the data from their most critical applications and tools.
The Deployment Overview provides a visualization of all connected data sources and applications, as well as activated Abnormal add-on solutions and push and push-pull integrations with additional security tools such as CrowdStrike.
Analyzing Privilege Escalation and Access Policy Abuse in Email Account Takeover Protection
Many of our customers have come to us with a common security concern: a lack of visibility into key email platform configuration changes—noting that user privilege and conditional access policy exploitation can lead to a data breach or help successful attackers establish persistence. But it is often difficult to determine when this has occurred, usually being part of the post-mortem investigation once a breach has gone too far.
To address these concerns, Abnormal now surfaces configuration changes in its account takeover protection cases. For customers that have Email Security Posture Management and Email Account Takeover Protection, a potentially compromised user modifying mail tenant conditional access policies or gaining elevated privileges will be used when determining not only whether an account has truly been taken over but to enhance the ensuing investigation.
Email Security Posture Management Shines a Light on Mail Filter Rules and New App Permissions
Continuing with the Email Security Posture Management updates, Abnormal now surfaces additional configuration changes, including mail rule filter changes and over a dozen new third-party application permissions. This will trigger alerts about new and notable changes, such as a user adjusting mail filter rules to delete all incoming messages—or a third-party app being granted permission to join video calls and directly create and send emails.
Each of these changes can indicate a risk (or worse, a compromised account), so being able to surface and understand these changes is crucial when addressing the aforementioned visibility gap into platform configurations.
Abuse Mailbox Makes it Easy to Triage User-Reported Email Right Through the SIEM
We’ve enhanced our Abuse Mailbox workflows for customers needing to analyze and triage user-reported emails through the SIEM.
As many of our customers consider the SIEM the core of their incident response and compliance workflows; Abnormal integrates with Splunk, SumoLogic, and IBM QRadar to allow customers to pull Abuse Mailbox data for emails that have been deemed a threat, spam, or benign.
This not only streamlines email security operations but ensures visibility into potential attacks across the security function.
Abnormally Effective Improvements to Detection Models and Methods
Product enhancements aside, we have also continued to improve our detection capabilities. Abnormal is built on advanced AI, and it is imperative that our detection models outstrip attackers—especially as those attackers make use of AI themselves.
Expanded Graymail Detection Drastically Improves Efficacy
While not an outright threat, graymail (the promotional emails clogging your inbox) is a threat to organizational productivity.
By expanding our graymail detection methods, such as analyzing unusual graymail sender patterns, we continue to increase the amount of graymail we keep from cluttering customer inboxes.
Message Detection Efficacy Improves to Reduce False Positives
Our messaging detection models are constantly being trained and improved to detect threats, but often the hunt for threats can result in frequent false positives. With this latest round of enhancements, we continue to draw down the number of false positives to separate signal from noise.
What’s Coming This Fall?
So, what’s next for Abnormal? Well, luckily, we are not gearing up for a disappointing series finale. Before we begin to roll out our next round of enhancements, learn about what Abnormal can do for you now by requesting a demo today.