What is our primary use case?
We have three instances of environments:
- All of our corporate stuff.
- A fake company that we test things with.
- An area for all the shows.
Each show is treated as its own company. When you have green-lit a movie, you say, "I have $50 million to make this movie," then they just burn it down. Once the money is gone, it's gone. Once you make the movie and you deliver it for distribution, then you don't need the company anymore. You just dissolve it and everybody who invested into that gets the return on investment.
We are cloud first, so we are 100% cloud. We don't have a data center. We use SaaS applications and platforms. Avanan is a cloud-based solution that is bolted into Office 365 via an API. We are using a service that is provided to us from Microsoft. We added the Avanan API from the Microsoft stack to integrate into our Office 365 environment. So, we are using Avanan's service, then we just link the two together.
How has it helped my organization?
We have had a significant decline from people accidentally or intentionally clicking on things. For the most part, that is just a lot of education, training, and awareness. There are also the notifications that Avanan does when it may let something go through because it's a legitimate sender but it might give you some information on it, saying, "Hey, this person always sends you an email from their corporate email address. Now, they are sending you something from their personal email address. Be very skeptical, heads up on it, and see what is going on."
We have had attackers send emails to everybody where they were completely fine and nothing was wrong with them whatsoever. They were trying to trick the system to create a confidence level to say, "Oh, yeah. We've always had emails from this person and they're fine. When they send us something that looks like phishing, or is bad, just ignore it because it's a trusted sender." Avanan doesn't do that. Avanan looks at everything independently regardless of if there is historical information. It will say, "This person has already sent you stuff and it's trusted," because at any given time that person's email account could be compromised, or they could be forwarding something that was compromised. They don't discriminate in regards to trust of letting something go through because they inspect everything regardless if it's trusted or not.
The customization was not necessarily a factor for corporate, but it was for television shows and movies because they have different requirements as they go through and have different technology stacks. Because every movie is different, e.g., they want to use different cameras, technology, and solutions, we have to be very flexible in how we roll out the different technology and security to these different pieces.
We just pay attention to see what is going on. Avanan helps us with some trending and modeling of where the attacks are going and who may be the next perceived victim of an attack. This has reduced our SOC team's workload, especially on the administration side of email. The standard things that you would have to do on your remediation paths, workflows, etc. It has really freed up a lot of time.
Avanan has allowed our business to really focus on other different pieces. However, when you look at the tabletop map of the whole battlefield, i.e., the whole war plan, it allows you to reposition resources in other areas that need more attention.
What is most valuable?
The administration feature is amazing.
The detection component is really over the top. For example, in January of this year, we had five different partners who had compromised email accounts and they had no idea. We are not talking internally. We haven't had a compromised email, knock on wood, in over six years because our security architecture and the way it is set up really helps with that. All the compromises that I see are really from external collaborators or other companies. The intelligence of the detection is quick to pick up when there are anomalies associated with how somebody sends an email, where they are sending it from, the language in the email, and things like that. Then, it would flag us to say, "I know they just sent you an email five minutes ago, but this other email they sent you is from a totally different region. Not only that, it doesn't sound right."
It does a really great job of identifying different things inside the links that just blatantly get missed by Microsoft. In January, those five different companies that had their emails compromised were sending us stuff and Avanan would flag them. Then, our users were like, "No, I am exchanging things with this person. Why are you guys blocking this particular piece?" So, we dove into it and were like, "Oh, well this is really bad because this is actually a compromised account." We would pick up the phone and talk to them, "No, I didn't send that email." It actually was sent from that person's email box, but it was done from a different location. They were deleting and hiding their trail as they do with these correspondence to try to get information.
Avanan is just outstanding on how efficient and effective their learning modules are to pick up on these different pieces. We work with them quite a bit. There have been a couple of different things that they have missed, which were very old school attack vectors. We worked with them on these things and they are quick to pick up on how to remediate them.
The way the system works is emails come into Microsoft, Microsoft processes them, sees what it can drop at the door, and then it goes through Avanan. After it is done with Avanan, then it goes through a different path to Microsoft, which is like, "If I have you on my blocked list, if I have the word 'webinar' in my rules that says webinar it's automatically deleted or moved to the junk folder, and so forth."
There have been a couple different types of critical attacks that would take out an entire company. We're not talking about the phishing ones where you click on a link, then you type in your credentials and they steal your credentials. We are talking nasty stuff that is embedded. Most systems will look at attachments and links. On a link, they detonate it into a certain space and know that, "This has a dropper. We're not going to let it through." Or, people put different scripts inside emails because people send email in HTML format versus Rich Text Format, which then allows you to run Java scripts inside your phone and browser. Avanan reads all those different things, which is great. We have seen a couple of different attacks that were completely missed by Microsoft and a couple of other different associates outside of our company at other companies who got the same attacks, and they were just crippled by them. They will send an attachment, like a PDF or a Word document, then inside that Word document is the actual link that you click on that does the detonation. All the systems that we've seen out there didn't view the link inside the attachment, except for Avanan.
We had one that created a very small file that was attached to an email. This was just a standard HTM file, which you see a lot of folks do anyway when they want to load pictures or other different things related to the document or to the email to get certain features. Inside those HTM files or Java scripts, it would normally get picked up, executed, and say, "Oh, this is bad. We're not going to allow you to run a script that's going to encrypt your entire hard drive." We had a couple of those that have come in where the attacker converted the entire script into hexadecimal, then wrote a Java script to convert it to ANSI or Windows converted it automatically for you. The different email security tools out there see the hexadecimal as text, so it sees it as 1s, As, 7s, Bs, Cs. They just see it as that and don't do anything. It will say, "Oh, this is just a bunch of random letters and numbers. No big deal." However, Avanan was like, "Oh, wait a minute. This is hexadecimal. Let me convert it and see what it actually does. Holy cow. It's a Cryptolocker. Let's just kill it right there."
It has been very quick to pick on those types of different types of attacks that have come in. There have been a lot of interesting pieces that we have worked with them on to help identify. There have been a couple of different things that they have blocked and we didn't know why. As we reverse engineered it and said, "Oh, this is what was going on." It's like, "That is amazing that it was able to decipher that and pull that out."
In all these different examples with other tools that we tested, they all failed miserably on different pieces, not detecting them. That is one of the main reasons why we are very appreciative of the Avanan solution. It is also why we moved it over onto television and movies. We actually have a lot of our users and contractors who will forward things through the system just to validate to make sure that it is legit.
What needs improvement?
Being cloud first and because we are in the movie business, we use a lot of Macintoshes. So, there is absolutely no reason for us to have Active Directory whatsoever. However, if you are using Office 365, you must have Active Directory in order to reset passwords. Even though we have a single sign-on provider, we must have Azure Active Directory for Office 365, which is really stupid. As a cloud application, you would think that I don't need Active Directory, which I don't need for anything else except Office 365. We have one server inside that space to help us manage Active Directory just for Office 365. This is a very sore point, but it is what it is.
There are some things that they can't remediate. The honest thing is nobody can right now because of the nature of how some of the secure email platforms work.
We have worked with them on some other different vendors to integrate into.
There is a particular space that is a unique challenge for everybody. We are trying to help with this as well. For example, if I need to send you information securely, whether I'm using Google, Microsoft, or a third party, I may send you an email that is encrypted but you don't really get the email. When you open up the email you have to click a link to login to a server to read the email, e.g., sometimes a doctor sends you secure messages. The information is not in an email and it's not on your computer, but you receive an email that says, "Click on this link. Login to the server online to view the message or information." Well, in doing that, the message in that email that is sent to you to go to that server is 100% legit. Everything about it is correct, even the TinyURL or whatever. There is nothing wrong with that email. Once you connect to that server and you login to view the message, it may have a payload that will get distributed onto your phone or your computer. Avanan doesn't have a way to protect against that because it's not an email issue anymore. At that point, the email was delivered and it was fine. It was you going to a server in your web browser that caused a problem. Then, the question is: Because the attack factor came in via the email, how do you build out an innovative solution that allows you to better manage the risk associated with secure emails without having to compromise the integrity or confidentiality associated with reading that particular privileged email? I think combinations of browser isolation, proxy, or some other different pieces that endpoint security operation components will address this.& There is a handoff or convergence associated with those different faculties or capabilities. Then, the next question is: Is this something that Avanan needs to address or is it something that the endpoint security needs to address?
For how long have I used the solution?
We have been using it for close to two years. We piloted with Avanan early on. We did a bunch of different testing. We have even moved them over onto our production side, like feature films, television shows, etc.
What do I think about the stability of the solution?
The stability is great. There are no issues. There was an outage at one point. It wasn't that long of an outage but it was definitely something that could have been 100% preventable.
Our other email provider, which was an email gateway, was really crappy. When they would have issues, we would hear nothing. We would've been calling, and saying, "Hey, what's going on? What happened here?"
Microsoft might post something on their status board, but they're not going to go into details.
Avanan gave us a root cause analysis within hours. A detailed paper explaining everything that happened. Yeah, it was their mistake, and here's what they're doing to correct it so it doesn't happen in the future. Not only did they give us the details of what the problem was, they also gave us the action plan and what they were doing going forward to make sure it never happened again. They took complete ownership and accountability of that particular outage. That is something that I would expect from somebody on my team and that is why we view Avanan as an extension of our team, because that's how they operate. They are very much into making sure our success is their success.
There is no maintenance for it. Maintenance takes about 10% of an FTE. It is not a dedicated role to manage Avanan. It is very efficient, clean, and effective.
What do I think about the scalability of the solution?
If I was a large organization with tens of thousands of employee users, it is just so much easier for it to bolt on as an API to Office 365 or Google email. It's a no-brainer when it comes to integration implementation as well as the costing for it. It is definitely a solution that scales all the way down for a three or five user company all the way up to tens of thousands of users.
Three or four people are going into it on a regular basis. Email administration that Microsoft lacks is a big part of it. We are also just chasing down when we have potential false positives. Make sure you can whitelist something. However, if you whitelist something then are you whitelisting it so it won't get scanned anymore? There are a lot of different questions when it comes to these different things. We never really say, "Hey, this is a known activity." We always say that it is an activity that was remediated because we don't want the AI to think that some of those things are normal. Otherwise, we may have one that isn't normal and it may not catch it because it was whitelisted or something like that.
For the most part, it is the standard exchange administration which Microsoft doesn't do very well. Whereas, Avanan does an incredible job on managing some of those different parts for the team. Another thing is mainly just chasing down the things that were caught, validating whether or not they are things that should be released.
On occasion, when we have had things that slipped through and it was all-hands to make sure that, "Alright, if this slipped through, where did it go? Does anybody else have it?" We've had a couple different things that slipped through because they were 100% legit, but our users were like, "Hey. Why is everybody in the company getting this link to this screener for this particular movie on a platform that we've never heard of before and wanting us to create an account and log in?" That's just part of the educational training of users for them to be super sensitive to those types of things.
How are customer service and technical support?
The technical support is amazing. They are very quick to respond. If it is not something that has a quick reply, it's like, "Hey, let's get back to you," and then there is relevant follow-up to make sure that we get what we need.
It is easy just to pick up the phone. We have a Slack channel with some of their team members and developers. We go back and forth, talking about innovation opportunities or things that might have been found or missed. As we see it, being cloud first is fairly unique, but not as unique since we have been cloud first for almost a decade. We look at all our different solutions as extensions of our teams. We view Avanan as an extension of our email security component team as much as they see us as an extension of their team for product review, etc. We really try to work well together to maximize the solution investment. It is that whole mentality of, "Help me help you be successful with your deployment in our environment as we go through these different pieces."
Which solution did I use previously and why did I switch?
Avanan is an enhancement to our email security posture.
We originally had our email on an Exchange server hosted at a third-party. Because of the way it was set up with that particular vendor, we couldn't add additional external security onto it, e.g., email security. We had to move it off of their Exchange service to Office 365, and then from there we used an email gateway for our email security. We used a well-known gateway product out there. There were a lot of challenges that we had with them: the growth of the company, scalability, and they were really difficult to work with.
We also tried to use native Office 365 email security components. We realized that the native Office 365 components did just as well as the email gateway. We thought, "Well, we don't need the email gateway. We'll stick with what we have." There were a couple of new capabilities that had come out with another company. We really liked how they had intelligence on the email notifications, such as creating banners that would say, "This came from outside of the company and you have never done business with this person before." It has some really good intelligence components, but it didn't scale or meet the needs that we had. We looked at a lot of different pieces.
We always look for smaller edge platforms that we see as really innovative and great to do business with. When we looked at some of Avanan's different technologies in our test environment, we were really impressed by its capabilities on the things that it was able to detect and how it detected them. Also, its ability to work directly with a lot of different pieces.
We brought Avanan in specifically because there were several different things that Microsoft was missing. It was like, "Hey, we removed an email where someone clicked on a link six or eight hours after it was delivered because we figured it was bad." Or, Microsoft would just take things out of mailboxes without you even knowing. The more frustrating thing, with all these different things going on with the Microsoft Email Security, was we do not have a Microsoft account manager because we were too small. It's not like we can pick up a phone and call Microsoft, and say, "Hey, we got a question about this," or, "Why are you guys doing this?" or, "Hey, do you know? You broke our system. Let's fix it." You just don't have that.
Avanan provided us a place that we could call when we had issues. They can go deeper than Microsoft into a lot of their different product parts.
When we evaluated the product and everything else, it would sit behind the Microsoft Advanced Threat solution and some of the other pieces. If it picked up anything, then it was picking it up because everybody else missed what was in front of them. That is a clear indicator right there. If it was finding it, it was because somebody else missed it who was upstream from them. When we were looking at the numbers of how many things it was catching that Microsoft was missing, then the question was, "Well, why are we paying for the Microsoft Email Protection if it's not doing its job?"
Why couldn't there have been an easier way to manage Microsoft until now? They manage Microsoft way better than Microsoft can manage Microsoft from an email administration perspective.
We had a couple of different accounts that we worked with that we knew got a bunch of things which are bad all the time. As an example, think about a generic email account. That generic email account with Microsoft security and Avanan security. We would probably see in about a week's time about eight to 12 things that Avanan would pick up and Microsoft would just kill off a whole bunch of other things. When we got rid of the Microsoft component, Avanan was picking up a couple of hundred a week off of that generic email account. We knew Microsoft was working, but it was missing things, and the things that it missed would have literally taken down a company.
If it catches just that one to three emails, it is invaluable. Being able to show that it would pick these things up while all these other ones missed it, but then when we get rid of the other solution, it still picks up what the other solutions were catching. Then, why do I need to pay for other solutions? Because we did have layered email security, but it just became obvious that Avanan was a superior product.
How was the initial setup?
The initial setup was easy-peasy; straightforward. We just integrated the API into Office 365, then there it was. So, we linked the two systems, then it was done. The deployment took five minutes.
It is pretty easy to secure Microsoft Teams using Avanan. It is integrated on the back-end with an API. We just say, "Hey, do that," and it does. We are trying to get it to move into Zoom, but Zoom's not very cooperative. Because the other thing is you have phishing emails, but then you also have smishing, which is text messages and things like that. If you think about people's phones, you get a text message saying, "Hey, click this link to see where you are in the queue to go to the doctor's office," or whatever. A lot of those different types of attacks do droppers onto phones and everything else, which is really bad. If you ever get a text message from somebody you don't know and it has a link in it, just delete it. Especially if it says, "Hey, your package is on its way," don't buy it because it's a dropper. It's just going to put malware on your phone, and that is just bad all the way around.
When we look at softphones and things like that on the computer, Teams, and what have you, that's where we're working with them to help enhance those capabilities. This is not just to protect phishing from communications and emails, but to let us look for phishing and unsolicited text, Team, or Zoom messages as well as Slack or other different pieces. We are looking at how we can do a whole uniform collaboration protection component with that.
This is an integral part of how we work. It is not any different than email or anything else. It's just that it's a tool in our repository that has a lot of user adoption and engagement, especially in current times where not as many folks are actually in the same physical location. So, it is absolutely incredibly imperative that we have solutions in place to help make sure that we don't have malware attachments and other different pieces associated with it. In the case of Avanan, it helps validate the links and everything else associated with those different pieces as well.
What about the implementation team?
It was all through the Office 365 Admin console. We just said, "We are linking these two systems," and then it was just done.
What was our ROI?
If you don't have compromised email accounts, then that is a huge ROI right there. It is a huge win.
If we look at four to five years ago, we had close to six or eight people click a link in an email per month. Now, we are probably down to about five or six clicks a year, if not less. Avanan says if there is anything that comes in for them to click that is bad. The only reason they click something is because it got thrown into their quarantine or it was bad and they forced it out then they clicked it anyway. Now, over the last year, we haven't had any clicks. We have had no clicks at all this year because folks now trust that if it really does go to quarantine, then it really is bad and why.
The other thing that is really nice about the Avanan component is with Microsoft and some of the other different products, if you think about your antivirus, they are like, "Hey, we blocked this file." Okay, why? They don't tell you. Avanan gives you explicit details as to why it is blocked and everything else that is going on with it. That is pretty important. Sharing that with our users has just been an eye-opener, so they all are really drinking the Kool-Aid in regards to staying vigilant around security and everything else. The interesting challenges that we have run into is it is great to read emails and everything else off on a computer, but 80% of our business is done off of a mobile device. Having to make sure that we can protect those mobile devices from things that are loading, an email, or clicking on different things, that is where the product really has helped us. It allows users to keep running as fast as they need to go but give them the guardrails and everything else to help protect them from some of the bad things that are out there. Then, if there is something that gets pulled or flagged, we let them know immediately. "Hey, so-and-so sent you an email but we are holding it because it's bad. If you need it, click this button." We then through and validate to make sure if it's really legitimate to send.
The phishing attacks probably dropped by 90% of what was actually making it into the mailbox. The phishing emails that do find their way in are phishing emails that don't have any attachments or links. They're just from unknown senders and what they're trying to do is to create a reputation, then they will send a follow-up email several days later with the phishing campaign embedded into it.
When we would look at the compromised email accounts from others, we had one particular group or studio that had their email compromised. The person would go through their emails to find an email thread that was with somebody at the company, then try to reply back to that thread with information saying, "Oh, hey. Just checking in with you guys. What's going on? Working on a new project. Here's a link to the next show." It looks like it is legitimately from that person, but it really isn't, and Avanan picks it up. In this case, the person would send another email, "Oh, I'm sorry. Here's the attachment," or, "Here's the link," and it goes straight to quarantine. Then, the user's like, "Hey. What happened here?" We're like, "Okay. The email was a legitimate email that was sent but then the follow-up email was the one that had the payload or phishing component trying to get you to enter in credentials or things like that.
Avanan specifically goes and looks for screen scrapes, or things like that, to look for somebody who is trying to impersonate a site for you to enter in accounts. Like, "Hey. It looks like the Microsoft login screen," or something like that, but our users know that if they have a login screen to something in the cloud then it is right away fake because of the way our security architecture is set up, e.g., they don't get a login screen. If I were to click on a link that says, "Hey. Open up this file in OneDrive," or, "Open this file in Box," and I click on a link and it brings me to a Box login screen or Microsoft login screen, then I know it's fake.
What's my experience with pricing, setup cost, and licensing?
Everything is negotiable, but it is fair and reasonable for what you get.
It is based off of your Office 365 licensing, so it is user-based. Avanan works with you on how you need to have it arranged. If I'm making a movie, we may only have five to six users at the very beginning. When we go to principal photography, or whatever, a couple months later, I may have 400 or 1,800 users. It varies by week. We have people come on and off. Then, when it goes into post-production, it may drop back down to 200 users and finally back down to 18 users. A movie can take anywhere from eight months to three years to make just depending on what's going on with it. There is absolutely no way to sign a commitment for a movie to use a product to say, "I'm going to buy 500 seats," when some weeks it's only eight people and other weeks it is 1,800 people. I'm not going to buy 1,800 seats for three years. That's ridiculous.
Having the flexibility and modeling to do the pricing that best fits the needs of the organization is incredibly ideal. That is what Avanan does. They know exactly how many users are using it, etc. We can tune the invoicing associated with how we are using the product so we can charge it back to the shows appropriately. When making a movie, if my budget is $15 million and then it burns down, I can't go back and ask for more money. Once it's gone, it's gone. If my technology stack is going to cost me a million dollars for a show that only costs $12 million to make, that's ridiculously expensive.
The technology doesn't change. You're still going to have the same amount of users. You're still going to have the same systems and everything else, so you have to be more flexible on how you can maximize the investment and work through the cost models that best fit the needs of the particular project or environment that you're working in.
In corporate, it is completely different. However, on the corporate side, it does vary throughout the year where we have different things that come in within the organization. The licensing is really negotiable on what works best. If your organization is going to be at a set level for the next three years, then sign a three-year deal. You'll get a better value for it. If your numbers vary a lot, then go to month-to-month licensing.
We manage whom we want to cover and don't want to cover in regards to the television side. However, on the corporate side, we just cover everybody. There are accounts which don't have email accounts that you don't want to have count against your total number that you're paying for protection. There are a lot of different levers that you can pull to customize it however you see fit for the organization. But, if I am a small to midsize company or even just a small mom and pop shop of eight people, this is an ideal solution because then you can pay month-to-month. You're not paying any kind of overhead for hardware or anything else associated that goes in with it. It is very elegant and very clean.
Which other solutions did I evaluate?
There were a couple different ones that we checked out. They were unique in their own right. Some of them were very niche on what they could do, but what we really decided on is we did not want an email gateway. We wanted an email protection system that was integrated directly into Microsoft via API. Because an email gateway receives emails and then forwards them on, where if it's integrated into Office 365, then it inspects it while it is in your box. There are a lot of advantages and disadvantages to that, but we just didn't want to have another bottleneck that if the email gateway went down then we are not getting any emails whatsoever. If my email goes down, it is because Microsoft goes down.
Another thing is an email gateway does not remove emails from your inbox. Whereas, if an API is integrated into your platform, then the administration will actually manage the mailboxes for you. If we have to go in and pull something or take something and put it in there, then we can do that. Or, if we need to manipulate what we need, e.g., let the email be there but not the attachment, then it gives us a lot more scalability and configurability to manage the messaging and user experience.
Something that was fascinating is the Avanan platform manages Microsoft email better than Microsoft does. It has been just great. It made it real easy for our folks to say, "Hey, we got to pull this email from everybody's mailboxes." Single click. Or, "We have to identify who all received this particular component," or other different things that we need to do. Where in the Microsoft world, you need to run PowerShell scripts, which is really stupid from the standpoint that if you are a cloud-based solution, why am I doing command lines in order to execute simple administrative activities? It is great that a lot of those old schoolers love command lines? It just doesn't make sense to do command lines over the cloud, unless I physically have a direct line into that console and are managing the actual server. However, for a cloud platform to do CLI, that is ridiculous.
I guess our expectations are a bit high and Microsoft is just not meeting them.
Avanan provides rich, contextual information that helps protect our users. We are given way more information than Microsoft ever would give us. It is actionable information and information that makes sense.
What other advice do I have?
I would highly recommend it. I would rate Avanan as 10 out of 10.
It is used across the entire enterprise. This year we have extended it out beyond corporate to movie shows. Going forward, all new movies and television shows are leveraging the platform. After a year and a half of having it at corporate, we moved it out of corporate onto other projects outside. So, it has very much expanded its presence inside and outside the organization.
Which version of this solution are you currently using?