Abnormal

About the customer

Abnormal Security is a rapidly-growing high-technology company that provides advanced email security to prevent credential phishing, business email compromise, account takeover, and more.

‍

The environment

Abnormal is a cloud-first, largely remote, rapidly-growing high-tech company. Its entire development runs in Amazon Web Services (AWS), with some in Microsoft Azure. They maintain a modern, microservices-based environment to enable highly-elastic spikes in usage, with the ability to scale from zero to the equivalent of 20 data centers and back down again in a matter of minutes.

The team maintains its code base in GitHub and uses GitHub Actions and Terraform to run its CI/CD process and define its infrastructure.

‍

Efforts to secure development

To ensure a secure cloud environment and find vulnerabilities and misconfigurations, the team uses Rapid7, InsightVM, and Wiz, along with tools like Dependabot and advanced security for the cloud side of code. 

‍

The challenges:

The security team at Abnormal runs a modern cloud security process, including best practices for detecting and addressing security issues that pose a risk to the company. Yet, with the variety of detection tools came an onslaught of alerts, resulting in multiple workflows and obstacles in ticketing automation. The team found itself trying to manually coordinate fixes with piecemeal information generated from each tool. Without holistic visibility into findings across the security environment, it became increasingly difficult to prioritize, triage, and  action fixes rapidly. 

False positives have also created an issue for security. Among the source tools, the team found one particularly problematic false positive that was only vulnerable when presented in a certain path, creating a large number of false positive instances. 

At a glance, struggles the team faced included: 

• Volume of alerts. The team needed to balance the volume and speed of security detections from multiple tools with its remediation. This included identifying low-quality or false positive alerts and enriching with context to better prioritize them.
• Deduplication. The team made a concerted effort to deduplicate alerts that they were mapping from multiple tools, and felt that they could improve on this time-consuming process.
• False positives. One particularly problematic false positive was difficult to exclude within the team’s source tool.‍
• Manual remediation. Once code owners were identified, the team wanted to make remediation faster and easier, and also be assured that they had fixed the issue at the source.
  

‍

The solution: Dazz

One view to rule them all

The single pane of glass approach Dazz uses for remediation has been key for the team at Abnormal. 

Rather than triage & action vulnerability findings in source tooling, the company connected the Dazz Unified Remediation Platform to their code repository— integrating all source tooling into Dazz via a simple API-based integration and mapping its code-to-production development environment. This effort included their workstation vulnerabilities which were previously treated as entirely separate from their cloud workflows. The team is now able to normalize workflows from a single source, standardizing prioritization and remediation efforts, and continuing to move forward in automating tedious manual processes. 

Not only has a single exposure management view allowed for a stronger ability to remove manual work, it also has produced significant value when it comes to audits, as the team can singularly gather all evidence from one source rather than juggling evidence from multiple tools that may not provide a cohesive, accurate story of their  security practices. The single, cohesive view and comprehensive reporting in Dazz allows security and engineering teams to properly audit infrastructure changes in Terraform as well as track remediation SLA adherence. 

‍

Deprioritizing thousands of false positives

A false positive from a source detection tool was proving difficult to exclude based on its presence only in a certain path. With the ability to scope for that path specifically in Dazz, the team has been able to efficiently exclude over 5,000 associated false positives. This achievement has brought massive value; without Dazz allowing the team to exclude the false positives in bulk, the team would find themselves in a difficult position along with dealing with alarming amounts of unnecessary noise.

‍

Closing gaps in tooling

Along with making it easier to prioritize and fix vulnerabilities more effectively via single view, Dazz has also helped the Abnormal security team address gaps in their tooling environment—particularly tools presenting issues with data integrity, and specifically in regards to discovery dates. 

Dazz also  provided further visibility into the actual timeline of problematic findings that align with the ephemeral nature of their reported resources. The team has gained further granularity when it comes to creating exceptions for what they deem “trickier” false positives, thereby reducing findings volume and fatigue. 

Identifying code owners

Dazz has also aided in identifying code owners, creating a stronger and healthier DevSecOps environment and enabling developers to take corrective action in a fraction of the time. 

‍

Results summary

• Deduplicate alerts to root cause: 1000:1
• Reduce mean-time-to-remediation from weeks to <1 day for critical issues
• Excluding 5,000+ false positive instances
• Stronger ability to automate tedious manual processes
• Comprehensive reporting for audit preparation

‍

What's next?

The team is adding new security tools to their tech stack continuously, so will accordingly integrate new tooling and pull them into workflows—expanding their single pane of glass with Dazz to include DAST and CDR tooling. Additionally, the team plans to innovate with other business units in the future, aligning vulnerability trends with R&D remediation teams to help inform more actionable, focused reporting.