Product FAQ: Threat Analysis - Abnormal Security
Product FAQs  Threat Analysis

Product FAQ: Threat Analysis

Commonly Asked Questions:

If links in a message are rewritten (via Proofpoint TAP, Microsoft ATP Safe Links, etc.), how does that affect Abnormal Security's ability to analyze the link to determine if you've seen the root URL before, etc.?

As part of the link analysis, Abnormal Security automatically unwraps the TAP and ATP links, and performs its analysis on the underlying link.

How does Abnormal scan the message then if we use S/MIME within Gmail?

Through the GSuite API, Abnormal is able to detect the messages that are encrypted. Integrating directly with the mail exchange (GSuite) allows Abnormal access to the data required for processing and scoring the messages accurately.

What are the scanning engines Abnormal Security currently leverage for both Attachment and URL scanning?

Abnormal Security uses Threat Intelligence as well as Behavioral Profiling. For the never-before-seen URLs and attachments, Abnormal has found that there aren’t any external Threat Engines available to detect these never before seen attacks. Thus the scanning engines used by detection are proprietary to Abnormal Security. For attachment scanning, the system uses a Cuckoo Sandbox in order to detonate attachments. For URL scanning, an internal web sandbox is used to detect phishing pages.

Is Abnormal Security similar to User Behavioral Analysis (UBA)?

We hear this quite often; however, UBA is often associated with a high rate of false positives whereas Abnormal Security prides itself in having a very low false positive rate.  We take false positives as serious as we take False Negatives which is why 95% of our customers are confident enough to have an auto-remediation set because of the high efficacy rate.

How is Abnormal Security different from a Secure Email Gateway (SEG) like Proofpoint, Mimecast, and Ironport?

  • Data science approach leverages data beyond email: Identity, Relationship, and Content
  • API-based integration is simple to implement
  • Complements, rather than duplicates, the existing security capabilities of O365 and G Suite
  • Traditional SEG’s are focused on a threat intelligence approach. Abnormal takes a data science approach, leveraging data beyond email to combine Identity, Relationship, and Content.
  • API-based integration is simple to deploy, does not introduce latency into email delivery, and does not impact other email security solutions (SEG, EOP, etc.)
  • SEG’s have a high degree of functional overlap between the native capabilities of EOP (both perform anti-spam, anti-virus, malware detection, etc.). Abnormal is designed to complement the native capabilities of EOP and focus on addressing the attacks that EOP is not addressing.

Want to learn more?

Schedule a personalized product demo to see:

  • Threat analytics, insights and reporting
  • Automated Triage, Investigation and response tools
  • Platform integrations into SIEM, SOAR
  • …and more
Automated Triage, Investigation and response tools

Want to learn more?

Schedule a personalized product demo to see:

  • Threat analytics, insights and reporting
  • Automated Triage, Investigation and response tools
  • Platform integrations into SIEM, SOAR
  • …and more