Avanon Email Security Implementation and Dashboard Demonstration Notes

Pre-Demo Discussion: Expense Reporting and Personal Context

• Self-Reporting Expenses: The speakers discuss the ethics and pragmatics of self-reporting small accounting errors. One speaker mentions a previous error involving a $4.00$ to $9.00$ DoorDash charge where they had to send a check to rectify the mistake. They prefer self-reporting via screenshot receipts to avoid complications later.
• Hardware and Art: A participant explains purchasing a laptop replacement for their daughter. Her previous Chromebook could not handle digital art and drawing tablets, necessitating a more powerful machine.

Avanon Integration and Dashboard Overview

• Integration Timeline: The Avanon integration was activated approximately $6$ days prior to the call, on June $28$.
• Snapshot Data: The dashboard currently reflects a snapshot of the last $6$ days of the environment, despiteBeing filtered for a $30$-day view.
• Primary Statistics:     * Phishing: Identified $121$ phishing emails.     * Malware: Detected $3$ malware attachments or content items.     * Business Email Compromise (BEC): $0$ detections during this period.     * Data Loss Prevention (DLP): $0$ triggers during this period.
• Avanon vs. Microsoft Cooperation:     * Avanon works alongside Microsoft Office $365$. Both platforms receive and scan emails simultaneously.     * Avanon applies its own scoring criteria in addition to Microsoft's scoring to reach a shared determination.     * Detection Delta: The dashboard highlights the "delta"—emails that Microsoft Defender/Exchange categorized as clean but Avanon identified as malicious.
• Current Policy State: The system is currently set to "Monitor Only" mode. It gathers information without taking defensive actions like quarantining, though it may generate reports for users.

Login Events and Anomalous Travel

• Anomalous Travel Detection: The platform tracks login events via geolocation. This feature is designed to flag "impossible travel" scenarios.     * Example: If a user logs in from California and then logs in from London an hour later, the system triggers an alert because the distance cannot be traveled in that timeframe.
• Geolocation Map: The dashboard provides a visual map of login attempts.     * Named Example: Sam P. was noted as logging in from the UK.
• Security Logic: Logins from different parts of the world (e.g., East Coast vs. Europe) do not automatically trigger security events unless they violate the anomalous travel timeframe indicators.

Detailed Phishing Analysis: The Julie Ray Case Study

• Case Example: A specific email regarding a "request for current insurance certificate" from a sender identified as Julie Ray.
• Reasons for Detection: Avanon provides granular details on why an email is flagged, including:     * Credential Harvesting: The email body contained prompts for the user to log in to an external site.     * Authentication Failures: Missing DMARC and DKIM signatures.     * Header Anomalies: Presence of non-ASCII information in the headers.     * Machine Learning: Algorithmic identification of phishing patterns.     * Sender Reputation: Evaluation of the sender's history and traffic volume.     * User Impersonation: The email claimed to be from "accounts payable" but used a named individual's email address, a common tactic for impersonation.
• Attachment Handling:     * Avanon scans the contents of attachments if they are well-known file types and are not password-protected.     * If a file is password-protected, Avanon cannot scan the interior contents, which actually increases the phishing risk score for that email.
• Transportation Chain: The tool identifies the origin of the email. In the Julie Ray example, the email originated in Japan, which is suspicious for a US-based vendor representation.
• Auxiliary Tools: Engineers can use "Sandbox Previews" to open links safely or use "VirusTotal" for further determination within the platform.

Data Loss Prevention (DLP) and Security Policies

• DLP Definition: Policies designed to prevent sensitive data (passwords, Social Security numbers, dates of birth) from being sent via email, which is inherently insecure due to its persistence.
• Configuration Logic: It is recommended to configure DLP in either Microsoft or Avanon, but not both simultaneously, to avoid conflicting policies.
• Functionality:     * Outbound/Internal: Primarily stops sensitive data from leaving the organization or moving insecurely between employees.     * Inbound: Can identify sensitive data coming in to alert the user/client as a courtesy.
• Audit Logs: Avanon maintains a strict audit log for any admin who views the body or attachments of an email to protect privacy and prevent abuse.

User Interaction and Reporting Workflows

• Scheduled Reports: Users typically receive periodic digest emails (e.g., at $8:00$ AM and $1:00$ PM) listing all actions taken on their emails (spam, phishing, etc.).
• User Portal: A separate portal exists where users can view quarantined emails for up to $30$ days.
• Release Requests:     * Spam: Users can often mark senders as "trusted" to release the email.     * Phishing: Typically requires admin/engineer approval.
• UBio Service Model: UBio engineers intend to fully support the product, meaning their team reviews release requests and follows up with end-users to verify if an email is a false positive or legitimately malicious.

Advanced Protection Features: Click Time and Smart Banners

• Click Time Protection: This feature obfuscates links by converting them into Avanon-routed links. This prevents users from clicking malicious URLs or copy-pasting them directly into a browser.
• Smart Banners: Contextual banners added to emails to warn users about specific risks (e.g., "External Sender" or "Name/Address Mismatch").     * Advantage over Microsoft: Unlike Microsoft banners that appear on every reply in a thread, Avanon Smart Banners only appear on the first email of a chain to reduce "banner fatigue."

Shadow IT and Platform Expansion

• Shadow IT Analytics: Avanon scans email traffic to identify unsanctioned third-party platforms (e.g., Zoom, Google Drive, Slack) being used by employees. This informs management if they need to provide better tools or training.
• SaaS Integration: The licensing can extend protection to SharePoint, Teams, and OneDrive.
• Google Drive Constraint: Avanon can only protect organizationally managed Google Drive instances. It cannot access or monitor personal Google accounts used by employees.

Questions & Discussion

• Farik: "How do data loss prevention policies work together [between Microsoft and Avanon]?"     * Response: It is recommended to choose one to avoid mirroring issues. Avanon is often preferred for unified reporting and user interaction.
• Farik: "What happens in those race scenarios [where Microsoft pushes an email through but Avanon scans it as malicious]?"     * Response: Avanon will take action even if Microsoft labels it as clean. The default behavior is for Avanon to override a "clean" Microsoft score if its own analysis finds a threat.
• Farik: "Is there any economy of scale with these [detections]?"     * Response: Yes. Avanon uses machine learning based on data from its entire global client base, not just UBio's specific portfolio. It also learns the specific environment of the user over time.
• Farik: "Is it possible to describe what that interaction is like with the employee if the email is flagged?"     * Response: Users receive reports (e.g., twice daily). They can click a link to request a release, which then goes to an admin for approval depending on the policy severity (Phish vs. Junk).

Scheduling and Next Steps

• Portal Access: Farik and Davis will receive admin login credentials by tomorrow morning.
• Follow-up Meeting: Scheduled for Tuesday from $1:00$ PM to $2:00$ PM (duration: $1$ hour).
• Agenda for Tuesday: Deep dive into SharePoint and Teams protection, and an overview of the Training Module.
• Trial Expiration: There are $8$ days remaining in the Avanon trial period.